Disable Flash, a new IE zero-day is under attack

Microsoft has confirmed Internet Explorer (IE) 6 through to IE 11 are vulnerable to an unpatched flaw, which security experts say is being attacked via booby-trapped Flash Web pages.

According to Microsoft’s security advisory on Saturday, IE 6, 7, 8, 9, 10, and 11 contain a memory vulnerability that exposes them to a remote code execution attack. The flaw leaves around half the world’s browsers vulnerable, although as Microsoft notes, the attacks are currently “limited”.

“In a Web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability,” Microsoft notes. Attackers would have to dupe a victim into visiting an attack page, which they would typically do by sending links to a victim in email or instant message.

While all versions of IE contain the vulnerability, security vendor FireEye, which initially reported the flaw, has only seen IE 9 to 11 being attacked. According to the company, the attackers are using a “well-known Flash exploitation technique” to gain access to memory and bypass Microsoft’s built-in anti-exploit technologies.

The bad news for IE users is Microsoft doesn’t have a patch for the vulnerability CVE-2014-1776 and hasn’t determined whether to fix it in the next Patch Tuesday or issue a more immediate out of band patch.

However, there are a number of mitigating factors, including that by default IE on Windows Server runs in restricted mode while Outlook opens HTML email messages in the Restricted sites zone. Also, users whose accounts are configured with fewer user rights could also be less impacted. And Microsoft stresses that an attacker would have to convince a user to visit a booby-trapped website, most likely with links in email or instant message.

Microsoft says its Enhanced Mitigation Experience Toolkit (EMET) 4.1 will help mitigate attacks that use this bug while EMET 3.0 does not.

According to FireEye, there are a few more steps admins can take that "break" the exploit, including EMET 4.1 and 5.0 and using Enhanced Protected Mode in IE, which is available in IE 10 and IE 11. It adds that the attack requires Adobe Flash in the browser.

“Disabling the Flash plugin within IE will prevent the exploit from functioning,” said FireEye.

Read more: Microsoft updates four key workarounds for Internet Explorer 0day attacks

According to the security vendor, the group responsible for this exploit has a track record for having access to a number of zero-day exploits for IE, Firefox and Flash.

“They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure,” the company’s malware experts noted. One of the backdoors they have been known to use is “Pirpi”, which Symantec discovered in 2010, and similarly was used against vulnerable versions of IE that were targeted via links in email and instant message.

Join the CSO newsletter!

Error: Please check your email address.

Tags unpatchedMicrosoftsecurityie6vulnerableFireEyePatch Tuesdayanti-exploit technologies

More about Adobe SystemsFireEyeMicrosoftSymantecToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts