Disable Flash, a new IE zero-day is under attack

Microsoft has confirmed Internet Explorer (IE) 6 through to IE 11 are vulnerable to an unpatched flaw, which security experts say is being attacked via booby-trapped Flash Web pages.

According to Microsoft’s security advisory on Saturday, IE 6, 7, 8, 9, 10, and 11 contain a memory vulnerability that exposes them to a remote code execution attack. The flaw leaves around half the world’s browsers vulnerable, although as Microsoft notes, the attacks are currently “limited”.

“In a Web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability,” Microsoft notes. Attackers would have to dupe a victim into visiting an attack page, which they would typically do by sending links to a victim in email or instant message.

While all versions of IE contain the vulnerability, security vendor FireEye, which initially reported the flaw, has only seen IE 9 to 11 being attacked. According to the company, the attackers are using a “well-known Flash exploitation technique” to gain access to memory and bypass Microsoft’s built-in anti-exploit technologies.

The bad news for IE users is Microsoft doesn’t have a patch for the vulnerability CVE-2014-1776 and hasn’t determined whether to fix it in the next Patch Tuesday or issue a more immediate out of band patch.

However, there are a number of mitigating factors, including that by default IE on Windows Server runs in restricted mode while Outlook opens HTML email messages in the Restricted sites zone. Also, users whose accounts are configured with fewer user rights could also be less impacted. And Microsoft stresses that an attacker would have to convince a user to visit a booby-trapped website, most likely with links in email or instant message.

Microsoft says its Enhanced Mitigation Experience Toolkit (EMET) 4.1 will help mitigate attacks that use this bug while EMET 3.0 does not.

According to FireEye, there are a few more steps admins can take that "break" the exploit, including EMET 4.1 and 5.0 and using Enhanced Protected Mode in IE, which is available in IE 10 and IE 11. It adds that the attack requires Adobe Flash in the browser.

“Disabling the Flash plugin within IE will prevent the exploit from functioning,” said FireEye.

Read more: Microsoft updates four key workarounds for Internet Explorer 0day attacks

According to the security vendor, the group responsible for this exploit has a track record for having access to a number of zero-day exploits for IE, Firefox and Flash.

“They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure,” the company’s malware experts noted. One of the backdoors they have been known to use is “Pirpi”, which Symantec discovered in 2010, and similarly was used against vulnerable versions of IE that were targeted via links in email and instant message.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Microsoftie6FireEyePatch Tuesdayanti-exploit technologiesunpatchedvulnerable

More about Adobe SystemsFireEyeMicrosoftSymantecToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts