Latest IE 0-day insight: Background, severity and solutions

This recently discovered Internet Explorer zero day vulnerability is bad. Users and administrators should take immediate action to mitigate the risk. Considering the timing, I personally expect to see an out of band patch from Microsoft.

All versions of IE are affected, which means that this vulnerability has likely been present since IE 6 was released in 2001. The fact that it is getting attention now is either due to a noticeable volume or impact of active exploitation in the wild. It may have just been discovered last week, or it may have been in the private toolkit of the world’s best malware writers for more than a decade.

This is as severe as any browser issue can be. There are reports of public exploitation of the issue, and the vulnerability allows the attacker to gain the privileges of the user. All too often on Windows that means Administrator level privileges.

The mantra “I only visit safe sites” is a false promise of protection, as it’s far too easy to misdirect, redirect, or otherwise cause a user to interact with a site that they are not expecting to. Legitimate sites may also be compromised to host malware serving this exploit.

The only mitigating factor is that so far the reported exploitation is limited to targeted attacks and the exploit code has not yet been known to have made it into any commercial malware packs.

The simplest way to avoid this risk is to use a browser other than Internet Explorer. Users who must use Internet Explorer should install all available Internet Explorer patches, and only use the latest versions available. Neither of those things will directly help with this specific issue, but are good practices and pre-requisites for the following actions to be at all effective.

To mitigate the risk of exploitation from this issue, install EMET 4.0, configure it to force ASLR, and enable a number of heap spraying and ROP protections. Additionally, there is a “fixit” available from Microsoft which will attempt to modify the system to prevent exploitation.

Fixits are not full-fledged patches which have gone through Microsoft’s generally rigorous quality assurance, so there is a risk that it’s not a complete solution or that it could cause compatibility issues with other products. Personally I would do both: install and configure EMET, and apply the fixit.

Don't miss