Microsoft has confirmed Internet Explorer (IE) 6 through to IE 11 are vulnerable to an unpatched flaw, which security experts say is being attacked via booby-trapped Flash Web pages.
According to Microsoft’s security advisory on Saturday, IE 6, 7, 8, 9, 10, and 11 contain a memory vulnerability that exposes them to a remote code execution attack. The flaw leaves around half the world’s browsers vulnerable, although as Microsoft notes, the attacks are currently “limited”.
“In a Web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability,” Microsoft notes. Attackers would have to dupe a victim into visiting an attack page, which they would typically do by sending links to a victim in email or instant message.
While all versions of IE contain the vulnerability, security vendor FireEye, which initially reported the flaw, has only seen IE 9 to 11 being attacked. According to the company, the attackers are using a “well-known Flash exploitation technique” to gain access to memory and bypass Microsoft’s built-in anti-exploit technologies.
The bad news for IE users is Microsoft doesn’t have a patch for the vulnerability CVE-2014-1776 and hasn’t determined whether to fix it in the next Patch Tuesday or issue a more immediate out of band patch.
However, there are a number of mitigating factors, including that by default IE on Windows Server runs in restricted mode while Outlook opens HTML email messages in the Restricted sites zone. Also, users whose accounts are configured with fewer user rights could also be less impacted. And Microsoft stresses that an attacker would have to convince a user to visit a booby-trapped website, most likely with links in email or instant message.
Microsoft says its Enhanced Mitigation Experience Toolkit (EMET) 4.1 will help mitigate attacks that use this bug while EMET 3.0 does not.
According to FireEye, there are a few more steps admins can take that "break" the exploit, including EMET 4.1 and 5.0 and using Enhanced Protected Mode in IE, which is available in IE 10 and IE 11. It adds that the attack requires Adobe Flash in the browser.
“Disabling the Flash plugin within IE will prevent the exploit from functioning,” said FireEye.
According to the security vendor, the group responsible for this exploit has a track record for having access to a number of zero-day exploits for IE, Firefox and Flash.
“They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure,” the company’s malware experts noted. One of the backdoors they have been known to use is “Pirpi”, which Symantec discovered in 2010, and similarly was used against vulnerable versions of IE that were targeted via links in email and instant message.