Zero-Day-ThursdayNetwork admins who had just breathed a sigh of relief because their systems were all patched for another month – at least in relation to vulnerabilities in Microsoft software – didn’t get to feel secure for long. On Thursday, they found that they had something else to worry about, as reports started coming out about a newly-discovered zero day vulnerability in some versions of Internet Explorer.

The exploit utilizes an HMTL/JavaScript web page that runs a Flash object and redirects visitors to the site that contains the exploit code through an iframe. An iframe is one HTML document that’s embedded in another HTML doc and is frequently used for incorporating ads and interactive applications into web pages. The iframe element has been misused by attackers on numerous occasions, including the iframe overlay attacks on ABC News and other news pages in 2008.

 

The iframe was embedded in the web site of the Veterans of Foreign Wars (VFW), a non-profit organization for U.S. military veterans. One of the bad things about this type of exploit is that you don’t have to consciously visit a questionable site to fall victim to it, so no matter how careful you are to visit only “known good” web sites, it can still get you.

 

This vulnerability was actually discovered on Patch Tuesday (February 11) by FireEye researchers, although it didn’t become big news immediately. It was already being exploited in the wild, thus the “zero day” label. Since it comes just as much of the U.S. is covered in wintry precipitation, it’s either appropriate or ironic that the attack has been named “Operation Snowman.” The FireEye blog indicates that the attackers may be the same ones responsible for two previous, similar attacks, who are known for targeting government agencies and defense companies, as well as law firms, IT companies and Japanese businesses.

 

Microsoft is aware of the exploit and has confirmed that it affects Internet Explorer versions 9 and 10. The attack is able to bypass the ASLR (Address Space Layout Randomization) protection in the browser. The immediate workaround is to upgrade to IE 11, which comes with Windows 8/8.1 and can be downloaded and installed on Windows 7.  Unfortunately, however, you can’t install IE 11 on Windows XP or Vista – which, according to the latest NetMarketShare statistics, are still running on more than 30 percent of desktop computers.

 

Many security writers are recommending that if you have XP or Vista systems in your organization, you should switch to an alternate web browser such as Google Chrome or Mozilla Firefox until a patch has been released. However, there are some mitigations and workarounds to be aware of. Researchers have determined that installing Microsoft’s Experience Mitigation Toolkit (EMT) can prevent the exploit from working. In addition, since the exploit uses Flash, it would not work on systems that don’t have Adobe Flash Player installed.

 

As with any zero day vulnerability, Microsoft was caught off-guard by the attacks and is now working with FireEye to investigate the situation and fix the flaw.