Update: As of Friday, Sept. 21, Microsoft has now issued a patch for the new zero-day vulnerability we reported on Tuesday, Sept. 18. The patch should be automatically applied to those users who have automatic updates enabled. A separate patch has also been applied to a Flash vulnerability Microsoft discovered with the Internet Explorer 10 browser used by Windows 8.
Microsoft said it was investigating a new zero-day vulnerability in Internet Explorer that could affect millions of users, running the latest versions of Internet Explorer on Microsoft’s most popular operating systems.
Specifically, Microsoft warned that the bug could affect users running Internet Explorer 6, 7, 8, and 9, using the Windows XP, Vista, and Windows 7, and Windows Server operating systems. Windows 8 and its integrated Internet Explorer 10 browser do not appear to be affected, Microsoft says. Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode and is also not affected.
While it’s unclear exactly how many users may be affected by the vulnerability, IE makes up 32.8% of the global browser market according to StatCounter, just a hair behind Chrome, at 33.6%.
Vulnerability Is Serious
Update: Microsoft has now issued a patch. So far, Microsoft has not issued a patch, although downloading the Enhanced Mitigation Experience Toolkit v3.0 may help mitigate the problem in the short term, Microsoft has said.
The vulnerability is considered to be a serious one, both in its scope and in its potential for harm. Basically, as Microsoft notes, “an attacker who successfully exploited this vulnerability could gain the same user rights as the current user”. In other words, the attacker could essentially do what he wanted with your computer: drop a keylogger or other snooping software, crash it, or perform other malicious activities. Symantec confirmed the vulnerability, and found that the software downloads additional malware.
According to Microsoft, the vulnerability could be exploited within a Web page: “An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
The vulnerability was discovered by security researcher Eric Romang, who was assisted by members of the Metasploit team, which develops a vulnerability tool to for “penetration testing” against suspected vulnerable machines.
Using a Microsoft Windows XP Pro SP3 machine with an up-to-date Adobe Flash plugin, Romang noted that files cached on a server used by the alleged Chinese “Nitro” gang of hackers contained HTML code that launched an infected Adobe SWF file or Flash Player movie, which could execute arbitrary code on a user’s machine. The “Nitro” attacks (PDF) were a coordinated series of attacks that took place through Sept. 2011, targeted at the chemical and motor industries, apparently for the purposes of industrial espionage.
The team of hackers has since deleted the files from the server, indicating that they’re now aware that they’ve been spotted. That means that this particular “zero-day” hack has only a limited lifespan until Microsoft issues a patch.
So What Should You Do?
At this point, some security researchers are reportedly warning that you should stay away from Internet Explorer entirely until a patch is issued. That’s probably a little extreme - but it’s absolutely safe, too. Until (and if) Chrome and Firefox are also found to be vulnerable to this exploit, using these browsers is probably your best bet. You can also expect the major antivirus vendors to move quickly; McAfee, for example, said that it is already working on an update that will protect its users against the vulnerability.
If you’re using an older version of IE, you may as well take this opportunity to upgrade to the latest version that your operating system supports. You probably shouldn’t worry about opening any HTML-encoded email; by default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone, which prevents the code from being launched. But beware - clicking a link in an otherwise innocuous email message could also take you to an infected Web site; as always, use caution when clicking willy-nilly across the Web.