Attacks on newly discovered vulnerability in IE 6 and 7
Microsoft is warning of an unpatched vulnerability in Internet Explorer 6 and 7, which is already being actively exploited in targeted attacks to infect Windows PCs with a Trojan. According to Microsoft, the issue is caused by improperly deleted pointers, which are still accessible after objects are released. The injected code will run with user privileges. The bug is in the component iepeers.dll.
Microsoft says it will "continue to monitor" the situation – as already there is the F1 vulnerability in Internet Explorer which remains unpatched from the beginning of last week – and further examine the problem. Upon completion of their investigation they will decide whether or not to publish an out-of-cycle patch. They recommend users switch to Internet Explorer 8 as it is not affected. In addition, Protected Mode in Internet Explorer on Windows Vista or later Windows OS limits the impact of this attack because a successful attack only results in very limited system rights.
Alternatively, users can also switch to Firefox, Opera, Chrome or Safari. However, even these browsers have vulnerabilities, but they are not attacked as frequently as Internet Explorer. Since studies have shown that in most cases it is holes in Adobe Reader and Flash plug-ins that are exploited to infect a PC via the web, the perceived security of the browser plays a smaller role than before.
As a workaround, Microsoft also recommends restricting permissions on the faulty component iepeers.dll and instructions on how to do this can be found in the original Microsoft report. However, this may mean that some functions no longer work correctly. In addition, the report describes Disabling Active scripting and turning on the Data Execution Prevention (DEP) protection.
Because Outlook, Outlook Express and Windows Mail open HTML email by default in the Restricted sites zone were Active Scripting and ActiveX controls are prevented, the vulnerability cannot be exploited through these mail programs. However if a user clicks a link in an email they could still be vulnerable.
- Vulnerability in Internet Explorer Could Allow Remote Code Execution, security advisory from Microsoft.
- Zero-day exploit for Internet Explorer, a report from The H.