Microsoft has warned that almost ALL versions of their Internet Explorer browser are prone to a zero-day vulnerability. The bug Microsoft identified is believed to have come about from the Java 7 zero-day exploit. The remote code execution vulnerability affects the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. A more pressing worry is the bug allows an attacker to execute arbitrary code and corrupt memory within Internet Explorer.
Microsoft hasn’t as yet released a patch for this but you should be aware that if you visit a malicious website (either intentionally or because your computer is infected with a browser redirector) an attacker would have the privileges to execute malicious code/script in say a HTML page and Flash file (i.e. YouTube video).
Update: Microsoft is to release an emergency patch for this zero-day flaw in Internet Explorer tomorrow, 21st September. Update 21st September: From Windows Explorer Type: Control Panel\System and Security\Windows Update and click ‘Check for updates’. Look for: Cumulative Security Update for Internet Explorer 9 for Windows 7 for x64-based Systems (KB2744842) Download size: 26.9 MB and install. You may need to restart your computer for this update to take effect.
Microsoft also said that IE running on Windows Server 2003, 2008 and 2008R2 runs in a restricted mode that mitigates the vulnerability. Outlook, Outlook Express and Windows Mail also open HTML messages in a restricted zone, mitigating the vulnerability but should a user click a link in a message, they could still be vulnerable to exploit.
To protect Internet Explorer from this threat, Microsoft advises the following:
- The exploit requires Java to execute properly on IE 8/9 on Windows 7/Vista – I suggest you uninstall Java (even though the exploit works without Java in IE7 and XP/Vista and IE9 on XP)
- Configure IE to disable Active Scripting in both zones – Click > Tools > Internet Options > Click on Security TAB > Click Internet option (‘Web content zone’) > Click Custom Level > Scroll down Security Settings dialogue until you see the ‘Scripting’ section > Look for Active Scripting and ‘Disable’. Restart the IE browser
- Download and install a secondary browser i.e. Google Chrome or Mozilla Firefox
- Deploy the Enhanced Mitigation Experience Toolkit (EMET) – this is FREE (note: Support for Windows Vista Service Pack 1 ended on July 12, 2011). EMET allows users to force applications to use one or both of ASLR and DEP which is built into Windows 7 and Vista. However be careful. See below.
How to install EMET
- Open EMET > Click “Configure Apps” button
- Select the ‘Add” button in next box – program selection prompt appears
- Browse to C:\Program Files\Internet Explorer > now add the “iexplore.exe” file
- You can also File > Import and import a Microsoft preconfigured and tested apps lists – these can be found here > Deployment\Protection Profiles folder (or the location you installed EMET)
- Accept all of the defaults that EMET adds (or that is added as part of the above list)
- Note: DO NOT CHANGE the ASLR and DEP settings as mentioned above. It is known that EMET can cause system performance and specific application issues. There also shouldn’t be any issues when using EMET with your existing anti-virus software
Bootnote: The EMET application applies tougher security measures (provides additional protection to anti-virus software) to specific programs that prevent hidden commands form injecting into code and it randomizes their location in memory. This makes it hard for an attacker for example to hijack a browser session.
Safe surfing folks!