Security Warning: Vulnerability
in Internet Explorer Being
Actively Exploited in Targeted Attack
9/19/2012 Updated 9/21/2012
A vulnerability in
Internet Explorer 6,
Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 is
exploited in a targeted attack to install the Poison Ivy backdoor
program that hackers use to steal data or take remote control of PCs.
Explorer being actively exploited on
(A "warning" alert is for a situation that are currently
conditions are right for the situation to occur soon.)
Severity: Medium. Exploit
is possible merely by visiting a
malicious web site; no other action by the user is required. An attacker can only gain the same user
rights as the current user.
As I read the
available information, the exploits were spear
phishing attacks going after specific targets. The attacks are
targeting only 32-bit versions of
Internet Explorer and
rely on third-party browser plugins to bypass the built-in mitigations
Windows Vista and 7 such as DEP and ASLR. In particular, all
exploits rely on the presence of
shipped by Java 6.
patching experts and Microsoft security teams reacted
swiftly. We should not overreact to a
single un-patched vulnerability in a web browser as there are likely
Today, Microsoft released a so called "out-of-band" security bulletin (MS12-063) with a cumulative security update for Internet Explorer.
Last Wednesday Microsoft made a
Fix It solution available for the
vulnerability in Internet Explorer that is being actively
exploited. Now that the cumulative security update for Internet
Explorer is available, the Fix It solution is no longer needed.
An attacker who successfully exploits this vulnerability
could gain the same user rights as the current user.
An attacker hosts
a website that is used to exploit this
vulnerability. Currently at least one
such website is known and being blocked by McAfee SiteAdvisor web
add-on and other Internet security products. Other exploits of
the vulnerability are possible.
major virus protection products are detecting and blocking the currently active
however, other exploits are possible and updated virus definitions for
exploit might be needed and take time to be developed and distributed.
Even if you don't actively use IE, many utilities and
third-party applications make use of IE code. So, keeping IE
updated is important.
How Do I Protect My Computer?
Log on with a
limited user account (LUA), that is, a normal user
account without administrator or power user rights, for every-day,
non-administrative use of your computer, especially browsing the web
reading e-mail. Users whose accounts are
configured to have fewer user rights on the system could be less
users who operate with administrative user rights.
Use a web site reputation product
that annotates web searches
such as McAfee
SiteAdvisor, which is a free
service, and/or a web content filter service that prevents accessing
websites that are known to be malicious. The server IP
address for the current exploit
is known (and published by a few virus protection companies).
Make sure that you have a current
subscription to a virus
protection product on all your devices, it is getting updates for virus
definitions and engine updates, and the real-time protection is enabled.
If you previously installed Microsoft Fix It solution "Prevent Memory Corruption via ExecCommand in Internet Explorer", disabling it is not necessary.
Install the security update in Microsoft Security Bulleting MS12-063.
If you made the recommended tweaks to ratchet up security settings in IE, you may restore them.
Upgrade Java to
you are running Windows XP, install and configuring the Enhanced Mitigation
Experience Toolkit (EMET). You’ll
need to have Microsoft .NET framework installed. However,
some security researchers are reporting
that EMET is not completely effective in protecting the
If you do not
need Flash Player or Java, uninstall them as the
current exploit uses them to setup your PC for the exploit. As
always, ITPS also recommends that you kept
Flash Player, Java, and other non-Microsoft products (as well as all
news and advice
Microsoft Security Bulletin MS12-063
Knowledge Base Article 2757760 (includes links
to the Microsoft Fix It)
Security Response Center: Cumulative Security Update for Internet Explorer
Security Response Center: Internet Explorer Fix It available
Security Research & Defense: More information on Security Advisory
2757760's Fix It
If you need assistance installing protection from
malicious web sites or a security assessment, IT Professional
Services can help. Call our
If you do not have network edge
protection that can do
web content filtering, ITPS has a Unified Threat Management (UTM)
service that can provide that protection. To
schedule a free 30-day trial of the UTM gateway, contact us.
If you do not
have a patch management system that patches common
non-Microsoft products such as Flash Player or Java, ITPS has a patch
management service that patches common non-Microsoft products.
out more about our Managed
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.