Attackers are actively exploiting a previously unknown vulnerability in all supported versions of Internet Explorer that allows them to surreptitiously hijack vulnerable computers, Microsoft warned Sunday.
The zero-day code-execution hole in IE versions 6 through 11 represents a significant threat to the Internet security because there is currently no fix for the underlying bug, which affects an estimated 26 percent of the total browser market. It’s also the first severe vulnerability to target affect Windows XP users since Microsoft withdrew support for that aging OS earlier this month. Users who have the option of using an alternate browser should avoid all use of IE for the time being. Those who remain dependent on the Microsoft browser should immediately install EMET, Microsoft’s freely available toolkit that greatly extends the security of Windows systems.
The vulnerability is formally indexed as CVE-2014-1776. Microsoft has blog posts here, here, and here that lay out bare bones details uncovered at this early stage in its investigation. Although there is no exploited vulnerability in Adobe Flash, disabling the browser add-on will also neutralize attacks, analysts at security firm FireEye Research Labs wrote in a separate blog post published Sunday. Disabling vector markup language support in IE also mitigates attacks.
A known gang of malicious hackers is already exploiting the previously unknown use-after-free vulnerability in targeted attacks, FireEye researchers said. The in-the-wild attacks the researchers observed target IE versions 9, 10, and 11 and work when victims visit booby-trapped websites. To bypass address space layout randomization and data execution prevention—which are security mitigations Microsoft designed to make it harder for hackers to remotely execute malicious code—the attacks abuse the presence of the vector markup language and Adobe Flash. The group carrying out the attacks is known to be behind other “advanced persistent threats,” which use an arsenal of zero-day attacks to penetrate specific corporations and governments to siphon proprietary data and sensitive information.