Microsoft Issues Tool to Repair Internet Explorer Zero-Day Security Vulnerability

The vulnerability affects Internet Explorer versions 6, 7 and 8, according to the company.

Microsoft officials on Dec. 31 announced that they have released a tool to help users address a zero-day vulnerability affecting Internet Explorer.

The tool is meant to address a vulnerability discovered in the wild roughly a week ago. According to Microsoft, the issue affects IE versions 6, 7 and 8. Internet Explorer 9 and 10 are not affected.

The vulnerability affects how IE accesses an object in memory that has been deleted or not properly allocated. As a result, memory can be corrupted in a way that would allow an attacker to remotely execute code with the rights of the logged-on user.

“We encourage customers to apply the Fix it…to help ensure maximum protection," Dustin Childs, group manager of Microsoft Trustworthy Computing, said in a statement. "Additionally, customers should ensure their anti-malware solution is up-to-date and follow good network hygiene practices, such as enabling a firewall, for added protection against threats."

Microsoft stressed that it is still only seeing the vulnerability exploited in limited, targeted attacks. Initially, it was observed being used to target visitors to the Website of the Council on Foreign Relations, a foreign policy think tank based in the U.S.

"The site was believed to be compromised and used to serve up the zero-day exploit as part of watering-hole style attacks as far back as Dec. 21," according to Symantec's Security Response Team. "A flash file named today.swf was used to trigger the vulnerability in Internet Explorer."

In a blog post, Microsoft Research Center engineers Cristian Craioveanu and Jonathan Ness stated that the company has analyzed four exploits. While users await a patch, they can block attacks by taking a number of actions, including disabling JavaScript, which will prevent the vulnerability from being triggered initially. In addition, users can disable Flash to prevent the ActionScript-based heap spray from preparing memory in such a way that the freed object contains exploit code.

Another step users can take, according to the duo, is to disable the ms-help protocol handler and ensure that Java6 is not allowed to run; this will block the address space layout randomization (ASLR) bypass associated with the return-oriented programming (ROP) chain.

Other workarounds include setting the local intranet security zone settings to "high" to block ActiveX Controls and deploying the Enhanced Mitigation Experience Toolkit (EMET).

Microsoft did not offer an exact date as to when a patch would be ready. However, the company said it is working on a solution.

"We want to reiterate the IE9 and IE10 are not affected and that we currently see only very targeted attacks," blogged Craioveanu and Ness. "And we're working around the clock on the full security update. You should next expect to see an update from us announcing the availability of a Fix It tool to block the vulnerable code paths."

Microsoft did not offer an exact date as to when a patch would be ready, but stated that it is in the process of developing a true fix.

Jm Hipolito, technical communications specialist at Trend Micro, noted that watering-hole attacks such as the one targeting visitors to the Council on Foreign Relations site are evidence of how attackers use information about their targets to launch more effective attacks.

"If we look at how a watering-hole attack works, we'll see that the methods used are very much familiar to us," Hipolito blogged. "However, the strategic placing of the threat itself makes it threatening in a more different level than any other Web compromise or 0-day attack, in the same way that a spear-phishing email is more effective than the typical spam emails. Attackers are able to generate strong social-engineering methods by leveraging their knowledge of their target's profile, thus eliminating the need for creating very sophisticated tools. And this is something that users must fully realize, because the attackers are no longer just using software vulnerabilities, they're also using the users themselves."

Editor's Note: This article has been updated to include information about Microsoft's new tool to repair the IE zero-day security vulnerability.