IEA critical, zero-day exploit against all versions of Microsoft® Corporation’s Internet Explorer® (IE) was announced by Microsoft. Users of every version of IE from the no longer supported IE6 all the way through the brand new IE11 that isn’t even publicly available yet are cautioned about this vulnerability, which when exploited can result in remote code execution in the context of the logged on user. At the time of this writing, only a workaround exists, not a patch for the bug.

In Microsoft Security Advisory  2887505, the company provides details regarding the vulnerability, how it can be exploited, and mitigation options. The actual vulnerability exists in mshtml.dll and how released memory is reallocated. If a user visits a compromised web page using IE, exploit code can be executed on the local machine in the security context of the logged-on user. By default, IE runs in restricted mode which mitigates this vulnerability. Of course, almost all of us turn that off since it renders much of the Internet unusable, including many of Microsoft’s own sites like Windows Update. For corporate users who typically do not get administrative privileges on their workstations, the impact of a successful exploit will probably be minimal, but for home users who have local administrative rights on their machines, remote code execution could do everything from installing a remote access Trojan to a keylogger, or turn a PC into a zombie, ready to spew spam and participate in DDoS attacks.

Mitigation options depend on the audience. Home users and corporate users with administrative privileges can run a Microsoft Fix-It to install a shim that blocks the exploitation of this vulnerability, though it does not patch the vulnerability. The Fix-It can be found at: http://go.microsoft.com/?linkid=9838025. Enterprise customers are advised to deploy the Enhanced Mitigation Experience Toolkit (EMET) to mitigate the vulnerability. Users could also choose to use a different browser, such as Chrome or Firefox, to avoid this particular vulnerability, but for many businesses this won’t be an option.

While a patch for this vulnerability will no doubt be released, it remains to be seen whether it will come in October’s patch Tuesday or be released as an out-of-band patch. Whichever occurs, it cannot come soon enough, so mitigation is really the only safe choice at this time

Technical details of the exploit are well documented at: http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx. That blog post goes into depth on how mshtml.dll and hxds.dll are taken advantage of by exploit code written entirely in Javascript. This issue is also being tracked as CVE-2013-3893.

While a user must browse to a site hosting exploit code in order to be exploited, this is not as unlikely a thing to happen as it used to be. With the millions of blogs and personal websites on the Internet today that are vulnerable to other exploits, attackers are finding it very easy to host their malicious code. Others use user-sourced ads on otherwise benign websites to deliver their exploit code. And of course, traditional phishing methods like sending links in email and instant messaging will surely fool some users into visiting a malicious site.

This zero-day vulnerability underscores the importance of a layered defence. Enterprises must have web-filtering capabilities that can help to protect users from compromised websites, enterprise software deployment solutions that can push out mitigations like the EMET and the eventual patch for this vulnerability, and user awareness campaigns to help users protect themselves at home. After all, how many users access company data from personally owned systems, be that using webmail at home, or a BYOD device at work? Companies should also take a much more proactive stance regarding upgrades. IE6 is vulnerable, and since it is well past end of life, it probably won’t see a patch. Far too many companies are still using IE6 because of some legacy application. This may be the final nail in the coffin for them.

Because of the vast number of devices impacted and the critical nature of a successful exploit, we expect that Microsoft will release an OOB patch soon. Don’t wait for that to happen. Implement one of the mitigations immediately, and then keep a very close eye out for further information and the eventual patch.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side), and be the first to get them!