Microsoft is warning customers of a newly discovered vulnerability affecting its Internet Explorer browser, from versions 6 through to 11. The flaw could allow attackers to gain access and user rights to affected PCs, and the company said there had been “limited, targeted attacks” to exploit it.
This zero-day vulnerability represents a serious threat because Microsoft has yet to release a patch. It’s also the first major vulnerability to be publicized following end of support for Windows XP. Even worse, Internet Explorer versions 6 to 11 account for some 26 percent of all PC browsers currently in use, according to NetMarketShare. For those who’re able to do so, an alternate browser should be used until a fix has been issued. Anyone who’s dependent on IE meanwhile, can bolster their security by downloading Microsoft’s EMET toolkit, although this won’t completely remove the threat.
The flaw was first announced by FireEye Research Labs via a blog post. Microsoft has since published three separate blog posts on the vulnerability, called CVE-2014-1776. Although Adobe Flash isn’t the source of the problem, disabling this add-on can neutralize any attacks, said FireEye in its own post. Another way to mitigate the problem is to disable vector markup language support in IE.
FireEye’s researchers said they’d already spotted a number of targeted attacks in the wild, carried out by a known cybercriminal group. The observed attacks targeted IE 9, IE 10 and IE 11, and are effective when victims visit spoofed websites containing booby traps. This group is said by FireEye to be behind several other “advanced persistent threats”, using a war chest of zero-day flaws to attack governments and organizations for the purpose of stealing confidential data.
“The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past,” wrote FireEye’s researchers. “They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure. They have a number of backdoors including one known as Pirpi that we previously discussed here. CVE-2010-3692, then a 0-day exploit in Internet Explorer 6, 7, and 8, dropped the Pirpi payload discussed in this previous case.”
The security firm is keeping details of the attacks secret, either to protect the targets or to prevent other hackers from carrying out copycat attacks.
For now, CVE-2014-1776 is only being exploited by one group, but there’s a good chance other cybercriminals will seek to exploit it following this public disclosure. As such, until Microsoft can issue a proper patch, users should avoid using IE versions 6 to 11 if at all possible, or download EMET 4.1 or 5.0, and ensure that VML and Flash are disabled.