Microsoft confirms hackers exploiting critical IE bug, promises patch

Suggests temporary defenses, but others urge users to switch to Chrome or Firefox

Microsoft on Monday issued a security advisory that confirmed in-the-wild attacks are exploiting an unpatched bug in Internet Explorer. The software maker is working on a fix.

The advisory addressed the "zero-day" vulnerability -- meaning it was discovered and exploited before a patch was available -- that was found and disclosed by researcher Eric Romang over the weekend. On Monday, the Metasploit open-source penetration framework published an exploit module for the bug, putting pressure on Microsoft to act quickly.

"We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue," said Yunsun Wee, director of Microsoft's Trustworthy Computing group, in a post to the Microsoft Security Response Center blog.

All but one supported edition of IE are affected: 2001's IE6, 2006's IE7, 2009's IE8 and last year's IE9. Together, those browsers accounted for 53% of all browsers used worldwide in August. The only exception was IE10, the browser bundled with the new Windows 8, which does not contain the bug.

Monday's advisory was expected, said Andrew Storms, director of security operations at nCircle Security. "I think they had to get it out today," said Storms late Monday in an interview over instant messaging. "Too many people watching and waiting for something official."

Earlier Monday, Microsoft acknowledged that it was investigating reports of a vulnerability but did not promise a patch.

The bug, when Microsoft gets around to patching it, will be rated "critical," the company's highest threat ranking. Exploiting the flaw allows hackers to execute code -- in other words, plant malware on a machine -- and opens Windows XP, Vista and Windows 7 to drive-by attacks that only require getting victims to visit a malicious or compromised website.

Until a patch is available, Microsoft recommended that users block attacks with EMET 3.0 (Exploit Mitigation Experience Toolkit), boosting IE's security zone settings to "high," and configuring the browser to display a warning before executing scripts.

EMET is a tool designed for advanced users, primarily enterprise IT professionals, that manually enables anti-exploit technologies such as ASLR (address space layout randomization) and DEP (data execution prevention) for specific applications.

But not everyone agreed that EMET was the answer.

"[EMET] has its place, but I think most people would prefer the bug fix," said Storms. "EMET is one of those tools that takes time to deploy, [so] it's not a good idea to try and rush the deployment right now. It's kind of like a self-defeating process. Microsoft would like more people to use EMET, but given the few zero-days and relative quickness to patch things, the need for EMET seems to be reduced."

Microsoft may have committed to patching the IE vulnerability, but it has not said whether it will ship an "out-of-band" update, or one outside the regular monthly schedule known as Patch Tuesday.

The next Patch Tuesday is Oct. 9, three weeks from today.

Storms gave the odds of an out-of-band update a "decent likelihood," but added some caveats. "As usual, the code change is probably the quick part. It's the testing requirements that will take time. Let's see them put their new IE testing resources to work," said Storms.

Storms' reference to resources was a nod to Microsoft's July announcement that it was ditching its longstanding every-other-month patch plan for IE. "We have ... increased our Internet Explorer resources to the point where we will be able to release an update during any month instead of on our previous, bi-monthly cadence," Wee said at the time.

Microsoft will be more likely to release an emergency update if attacks increase or if it cannot come up with an easier way to defend IE than EMET. "If they can deliver a Fixit, they will," said Storms, talking about the automated tools that Microsoft often crafts to configure software settings. "That would [relieve] some of the pressure for a quick patch. If they can't do a Fixit and if the attacks go high, the out-of-band is sure to follow."

An alternative, others have argued, is to stop using IE until Microsoft fixes the bug. Earlier Monday, Rapid7's chief security officer HD Moore advised people to switch, if only temporarily, to Google's Chrome or Mozilla's Firefox.

"I was hoping for easier and less-obtrusive mitigations," Storms said. "My sense is Microsoft is working some late hours to get this [patch] out in a jiffy."

EMET 3.0, the tool Microsoft suggested users deploy, can be downloaded from the company's website. More information about EMET can be found in this support document.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts