Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Security Warning:  Vulnerability in Internet Explorer Being Actively Exploited in Targeted Attack
9/19/2012
Updated 9/21/2012

A vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 is being actively exploited in a targeted attack to install the Poison Ivy backdoor Trojan horse program that hackers use to steal data or take remote control of PCs.

Threat Level

Warning:  Internet Explorer being actively exploited on the Internet.

(A "warning" alert is for a situation that are currently occurring or conditions are right for the situation to occur soon.)

Severity:  Medium. Exploit is possible merely by visiting a malicious web site; no other action by the user is required.  An attacker can only gain the same user rights as the current user.

Analysis

As I read the available information, the exploits were spear phishing attacks going after specific targets.  The attacks are targeting only 32-bit versions of Internet Explorer and rely on third-party browser plugins to bypass the built-in mitigations of Windows Vista and 7 such as DEP and ASLR.  In particular, all exploits rely on the presence of non-ASLR modules shipped by Java 6.

Security and patching experts and Microsoft security teams reacted swiftly.  We should not overreact to a single un-patched vulnerability in a web browser as there are likely many of them.

Today, Microsoft released a so called "out-of-band" security bulletin (MS12-063) with a cumulative security update for Internet Explorer.

Last Wednesday Microsoft made a Fix It solution available for the vulnerability in Internet Explorer that is being actively exploited.  Now that the cumulative security update for Internet Explorer is available, the Fix It solution is no longer needed.

An attacker who successfully exploits this vulnerability could gain the same user rights as the current user.

An attacker hosts a website that is used to exploit this vulnerability.  Currently at least one such website is known and being blocked by McAfee SiteAdvisor web reputation add-on and other Internet security products.  Other exploits of the vulnerability are possible.

Most major virus protection products are detecting and blocking the currently active exploit; however, other exploits are possible and updated virus definitions for a new exploit might be needed and take time to be developed and distributed.

Even if you don't actively use IE, many utilities and third-party applications make use of IE code.  So, keeping IE updated is important.

How Do I Protect My Computer?

Log on with a limited user account (LUA), that is, a normal user account without administrator or power user rights, for every-day, non-administrative use of your computer, especially browsing the web and reading e-mail.  Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Use a web site reputation product that annotates web searches such as McAfee SiteAdvisor, which is a free service, and/or a web content filter service that prevents accessing websites that are known to be malicious.  The server IP address for the current exploit is known (and published by a few virus protection companies).

Make sure that you have a current subscription to a virus protection product on all your devices, it is getting updates for virus definitions and engine updates, and the real-time protection is enabled.

If you previously installed Microsoft Fix It solution "Prevent Memory Corruption via ExecCommand in Internet Explorer", disabling it is not necessary.

Install the security update in Microsoft Security Bulleting MS12-063.

If you made the recommended tweaks to ratchet up security settings in IE, you may restore them.

Upgrade Java to version 7.

If you are running Windows XP, install and configuring the Enhanced Mitigation Experience Toolkit (EMET).  You’ll need to have Microsoft .NET framework installed.  However, some security researchers are reporting that EMET is not completely effective in protecting the vulnerability in Internet Explorer.

If you do not need Flash Player or Java, uninstall them as the current exploit uses them to setup your PC for the exploit.  As always, ITPS also recommends that you kept Flash Player, Java, and other non-Microsoft products (as well as all Microsoft products) up-to-date.

More Information

Sophos news and advice

Microsoft Security Bulletin MS12-063

Security Advisory 2757760

Microsoft Knowledge Base Article 2757760 (includes links to the Microsoft Fix It)

Microsoft Security Response Center: Cumulative Security Update for Internet Explorer

Microsoft Security Response Center: Internet Explorer Fix It available

Microsoft Security Research & Defense: More information on Security Advisory 2757760's Fix It

Professional Services

If you need assistance installing protection from malicious web sites or a security assessment, IT Professional Services can help. Call our help desk.

If you do not have network edge protection that can do web content filtering, ITPS has a Unified Threat Management (UTM) gateway service that can provide that protection.  To schedule a free 30-day trial of the UTM gateway, contact us.

If you do not have a patch management system that patches common non-Microsoft products such as Flash Player or Java, ITPS has a patch management service that patches common non-Microsoft products.

Find out more about our Managed Care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030