A new vulnerability has been found in Microsoft Internet Explorer that impacts Internet Explorer versions 8 and 9 and is being used in the wild by cyber-criminals.
Other specific configurations of Internet Explorer 6, 7, 8, 9, 10, and 11 could also be vulnerable.
This weakness allows attackers to execute code on a machine by just having the user visit a malicious website.
According to Alex Watson, director of security research at security software provider Websense, this can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites.
Resarch by Websense has found that almost 70% of Windows business users are susceptible to this IE zero-day exploit.
Watson explains: "We reviewed third-party telemetry feeds from real-time global internet requests to determine the initial scope. While the exploit appears to affect all versions of IE, at the moment attacks only seem to be targeting users of IE8 and IE9 who are running Windows 7 and XP operating systems. We encourage IT administrators to install the Microsoft FixIt patch (CVE-2013-3893 MSHTML Shim Workaround) to stop the vulnerability while waiting for a formal patch from Microsoft."
Ross Barrett, senior manager, security engineering at vulnerability management firm Rapid7, describes the vulnerability as a serious one, warning that companies and individuals need to be proactive in patching it up.
"Users and administrators should take immediate action to mitigate the risk," he says. "Considering the timing, I personally expect to see an out of band patch from Microsoft.
"All versions of IE are affected, which means that this vulnerability has likely been present since IE 6 was released in 2001. The fact that it is getting attention now is either due to a noticeable volume or impact of active exploitation in the wild. It may have just been discovered last week, or it may have been in the private toolkit of the world’s best malware writers for more than a decade."
Content from our partners
This is as severe as any browser issue can be, he adds. There are reports of public exploitation of the issue, and the vulnerability allows the attacker to gain the privileges of the user.
Barrett continues: "All too often on Windows that means Administrator level privileges. The mantra ‘I only visit safe sites’ is a false promise of protection, as it’s far too easy to misdirect, redirect, or otherwise cause a user to interact with a site that they are not expecting to."
Legitimate sites may also be compromised to host malware serving this exploit. The only mitigating factor is that, so far, the reported exploitation is limited to targeted attacks and the exploit code has not yet known to have made it into any commercial malware packs.
The simplest way to avoid this risk is to use a browser other than Internet Explorer, Barrett suggests.
"Users who must use Internet Explorer should install all available Internet Explorer patches, and only use the latest versions available. Neither of those things will directly help with this specific issue, but are good practices and pre-requisites for the following actions to be at all effective."
To mitigate the risk of exploitation from this issue, he also recommends that users install EMET 4.0, configure it to force ASLR, and enable a number of heap spraying and ROP protections.
"Additionally, there is a ‘fixit’ available from Microsoft, which will attempt to modify the system to prevent exploitation," he explains. "Fixits are not full-fledged patches which have gone through Microsoft’s generally rigorous quality assurance, so there is a risk that it’s not a complete solution or that it could cause compatibility issues with other products. Personally I would do both: install and configure EMET, and apply the fixit."
Websense researchers are currently examining data captured in the wild and hope to report their additional findings in the near future.
