Microsoft issues security advisory for Internet Explorer exploit

Microsoft made a rare weekend post on its Security Response Center blog to announce an advisory that affects all currently supported versions of Internet Explorer. The issue is based on a newly discovered exploit that could be used against the web browser.

The blog post states that the exploit  "allows remote code execution if users visit a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message." The company is aware of "limited, targeted attacks" that have used the exploit.

IE 10 and 11 are protected against attacks using this exploit if they have their Enhanced Protected Mode turned on. Also, PCs that have either the Enhanced Mitigation Experience Toolkit 4.1 or the EMET 5.0 Technical Preview installed are also secured against this security hole. Microsoft says that PC owners should always enable their personal firewall, make sure to have all of the latest software updates for their programs, and have all the most recent anti-virus and anti-malware definitions. 

Finally, Microsoft said, " ... we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders." The blog did not have any information on when Microsoft will release a patch that will close this latest IE exploit.

The issue affects IE 6, which is still supported by Windows Server 2003 Service Pack 2. It's also still used by Windows XP, which is no longer supported by Microsoft. That means IE6 users on that OS won't be getting a patch when Microsoft issues one for the web browser.

Source: Microsoft | Image via Microsoft

Report a problem with article
Previous Story

Ireland to invest €512m to deploy fiber optic cables throughout country

Next Story

AMD may be teasing reveal of new mobile chip

45 Comments

Commenting is disabled on this article.

This might be the first test as to whether a patch for IE8/XP will be leaked by a corporate worker, or if a patch meant for IE8 on another operating system can be tweaked to use on XP. It will be interesting to see how long it will take (if it happens at all).

darkrats said,
This might be the first test as to whether a patch for IE8/XP will be leaked by a corporate worker, or if a patch meant for IE8 on another operating system can be tweaked to use on XP. It will be interesting to see how long it will take (if it happens at all).

And, how many affected people are going to try and apply that patch? How many are going to break things as a result, and end up with an even bigger mess?

You make it sound like everyone will be too scared to try a leaked or tweaked patch. There are many, including myself, who have enough safeguards in place to test something like that. Once it's tested and put online, the less confident will start using those patches. I could "break things" in a major way, and still have my system back up and running in about 15 minutes or less. I've tested viruses and malware just for the fun of seeing what they can do. Not once have I been unable to restore my system back the way it was. Scaring people about "unofficial" patches is about the same as scaring them about downloading from torrent sites. Even if you only know how to do a system restore from an external source, you can play around with whatever software you would like to. That's been my experience of the past 15 years or so. For what that's worth.

Auditor said,
Or better yet, use Firefox or Chrome.

as each Pwn2own security contest has proven over and over, switching between vulnerable browsers is not a valuable security advice.

skilled hackers tend to prove that they can penetrate any browser.
so if you are a valuable target, it doesn't matter if you use Firefox/chrome, you will get hacked too.

just look at the results of the last Pwn2own contest.

Firefox was hacked 5 times.
even ChromeOS was hacked twice with complete root control.

the only target that nobody hacked despite the $150 000 reward was IE11 with EMET installed.
not that it is invulnerable, but it seems to be the hardest platform to write an exploit on.

so, you are actually safer using IE with EMET despite this 0flaw rather than using chrome/firefox without EMET.

if IE users have to install something to improve their security, it's EMET, not another potentially more vulnerable browser.

"The issue affects IE 6, which is still supported by Windows Server 2003 Service Pack 2."

So XP is out of support but Server 2003 is just the Server verison of XP! And it doesn't take much to convert 2003 to XP: http://www.msfn.org/win2k3/
There's even a Neowin thread on converting 2003 to XP: http://www.neowin.net/forum/to...er-2003-xp-conversion-pack/
And since 2003's IE6 is almost identical to XP, it probably won't take much to reverse engineer the updates so XP users can take advantage of them.

WinMetro said,
"The issue affects IE 6, which is still supported by Windows Server 2003 Service Pack 2."

So XP is out of support but Server 2003 is just the Server verison of XP! And it doesn't take much to convert 2003 to XP: http://www.msfn.org/win2k3/
There's even a Neowin thread on converting 2003 to XP: http://www.neowin.net/forum/to...er-2003-xp-conversion-pack/
And since 2003's IE6 is almost identical to XP, it probably won't take much to reverse engineer the updates so XP users can take advantage of them.

XP patches for custom support customers will probably leak.

and if they don't, I guess the patch for win2003 will be binary compatible with XP, since gfx.dll is just a COM component to do VML rendering.
future IE patches however won't be binary compatible.

WinMetro said,
And since 2003's IE6 is almost identical to XP, it probably won't take much to reverse engineer the updates so XP users can take advantage of them.

The only people that could do that have moved off of XP by now, which leave vulnerable users still vulnerable.

Dot Matrix said,
Well, at this point, it'll only be 9 / 10 / 11 that get fixed. XP users, beware.

you know that IE7/8 are still supported on vista/7.

even IE6 is still supported on win2003 (XP users should be able to extract the patch and replace their vulnerable version of vgx.dll with the fixed one once available).

Which reminds me that the custom support patches itself are kept private by the organizations, but the patched binaries can be easily accessed and copied by any user having access to a machine with them installed, and it is probably also possible to get the catalog file used to sign the binaries. This for example would allow disassembly of the binaries if a user wanted to. It is easy BTW to determine if a Win2000 binary is a custom support build by just looking at the build number.

Yuhong Bao said,

Looks like an error.

No error. IE 8 support ended with XP's support. Office 2003, IE 8, and Windows XP are all unsupported technologies.

Sintheo, why the "WTH"? This was announced a long time ago, and should not be a surprise.

sinetheo said,
I think you're confusing IE 6 with IE 8.

Even IE6 would be technically an error since it is still supported on Server 2003 (that is why it is listed in the advisory).

Yuhong Bao said,

Looks like an error.

Looks mysteriously like the same reply I got from Slashdot.org by someone with a similar name :-)

Dot Matrix said,

No error. IE 8 support ended with XP's support. Office 2003, IE 8, and Windows XP are all unsupported technologies.

Sintheo, why the "WTH"? This was announced a long time ago, and should not be a surprise.

That should be an error, as IE8 shares the same support cycle as Windows 7, seeing the browser was released at the same time.

sjaak327 said,

That should be an error, as IE8 shares the same support cycle as Windows 7, seeing the browser was released at the same time.

Actually, to correct, IE8 on Windows XP is unsupported. IE8 on Windows Vista and Windows 7 should still be supported.

It's a good thing my employer with IE 8 with sandboxing and protected mode turned off in low security zone settings is ok

We only deal with credit card processing and hippa so nothing to worry about al all.

As usual, Microsoft EMET does a good job of blocking this exploit.

I advise everyone, even those who don't use IE, to install EMET. Don't wait for 0day exploits to become publicly known to install EMET. It's a good protection to have permanently, and it doesn't even slowdown the system (unlike an antivirus)

if you want more explanations about what EMET is:
http://www.julien-manici.com/b...et-Explorer-Firefox-Chrome/


about the flaw itself, it appears to be a flaw in the VML renderer (which is a deprecated component).
it's not technically a flaw in the core components of IE (the Windows Phone version is not vulnerable because VML is no longer supported in IE mobile)

Cool, Am using enhance protection mode on IE. Suggest for everyone to do so.
And I'm using EMET :)

But won't be long before people start flaming on Microsoft because of this. They already fixed it with IE10/11 obviously.

Shadowzz said,
Cool, Am using enhance protection mode on IE. Suggest for everyone to do so.
And I'm using EMET :)

But won't be long before people start flaming on Microsoft because of this. They already fixed it with IE10/11 obviously.

IE/Metro users are protected by the enhanced protected mode by default, but IE/desktop users are NOT.

IE/desktop users must enable EPM manually in order to be protected.

and do not forget that win7 doesn't support EPM. Enabling this option on win7 just enables 64bit support (which seems to be enough to break this 0day exploit though), but doesn't actually improve the sandbox.

more information:
http://www.julien-manici.com/b...d-protected-mode-windows-8/

Shadowzz said,
Cool, Am using enhance protection mode on IE. Suggest for everyone to do so.
And I'm using EMET :)

But won't be long before people start flaming on Microsoft because of this. They already fixed it with IE10/11 obviously.

Not cool if you need to disable protected mode and sandboxing to run ancient web apps written for IE 7 which requires Java with compromised certificates. The state of Ohio requires this for hiipa Medicare processing. No risk at all. Tea Party governor doesn't want to pay to upgrade. Not even trusting the site will lower security enough to run it, Many other sites are not certified to run on 7 but accounting won't pay to upgrade so all security goes off.

sinetheo said,

Not cool if you need to disable protected mode and sandboxing to run ancient web apps written for IE 7 which requires Java with compromised certificates. The state of Ohio requires this for hiipa Medicare processing. No risk at all. Tea Party governor doesn't want to pay to upgrade. Not even trusting the site will lower security enough to run it, Many other sites are not certified to run on 7 but accounting won't pay to upgrade so all security goes off.

in cases like that, you can install EMET5 beta.

it has a new feature called Attack Surface Reduction which disables Java support in the internet zone.

this way, when you visit a trusted site that requires Java, you can add it to the trusted sites list, and Java applets will be able to run on this site, without having to compromise the security in the internet zone.

link8506 said,

IE/Metro users are protected by the enhanced protected mode by default, but IE/desktop users are NOT.

IE/desktop users must enable EPM manually in order to be protected.

and do not forget that win7 doesn't support EPM. Enabling this option on win7 just enables 64bit support (which seems to be enough to break this 0day exploit though), but doesn't actually improve the sandbox.

more information:
http://www.julien-manici.com/b...d-protected-mode-windows-8/

EPM was on by default for me on IE11 on the desktop, I never had to turn it on, the check box was already checked, don't know why but I figured it was the default.

link8506 said,

IE/Metro users are protected by the enhanced protected mode by default, but IE/desktop users are NOT.

IE/desktop users must enable EPM manually in order to be protected.

and do not forget that win7 doesn't support EPM. Enabling this option on win7 just enables 64bit support (which seems to be enough to break this 0day exploit though), but doesn't actually improve the sandbox.

more information:
http://www.julien-manici.com/b...d-protected-mode-windows-8/


Yes thank you, am aware of how it works and how to enable it.

sinetheo said,

Not cool if you need to disable protected mode and sandboxing to run ancient web apps written for IE 7 which requires Java with compromised certificates. The state of Ohio requires this for hiipa Medicare processing. No risk at all. Tea Party governor doesn't want to pay to upgrade. Not even trusting the site will lower security enough to run it, Many other sites are not certified to run on 7 but accounting won't pay to upgrade so all security goes off.


What, enhanced protection mode works perfectly fine with Java 64bit.

Everyone who has or uses a computer should be required to take a class and get a license to operate like a car. This should be part of the standard "Oath of Responsible Usage" -

... we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders.

People using computers, especially in corporate envs. can cause MILLIONS of dollars worth of internal damage to networks by doing stupid stuff, bringing in files/USB sticks from home or circumventing internal network security and should be held accountable just like when someone runs a red light or commits DUI in a car.

xendrome said,
Everyone who has or uses a computer should be required to take a class and get a license to operate like a car.

Amen to that. (Although it has given me plenty of "I done goofed - halp" jobs.) This goes for any internet enabled software.. isn't a browser out there on any OS that hasn't had some sort of vulnerabilities, never mind it still won't hold your hand to keep you from doing something in the dumbassery category.

xendrome said,
Everyone who has or uses a computer should be required to take a class and get a license to operate like a car. This should be part of the standard "Oath of Responsible Usage" -

People using computers, especially in corporate envs. can cause MILLIONS of dollars worth of internal damage to networks by doing stupid stuff, bringing in files/USB sticks from home or circumventing internal network security and should be held accountable just like when someone runs a red light or commits DUI in a car.

I agree with you as a fellow technocrat, but one of the best things about the internet, for better or worse is that it's basically unbounded portal to more information than any one human has ever had access to, and because of that I don't think I could ever support an "internet drivers license". It imposes a barrier to entry that penalizes the people most likely to benefit from access to the internet.

In a corporate environment is a different issue. An employer is free to do what they like to restrict access to the internet, and how employees get access to it. If that requires a course in computer safety, then fine, so much the better. HOWEVER, it's also worth bearing in mind that if a single employee is able to cause millions of dollars/euros/etc of damage by going to a malicious website, or opening a virus and such, they have bigger problems with their IT infrastructure.

xendrome said,
should be held accountable just like when someone runs a red light or commits DUI in a car.

You want to compare a virus infection on a corporate network to potentially life threatening situation? Really?

Civil cases exists so that companies can use to sue their employees for neglience but no one wants to do it because it's bad for business. Guess how bad for business it would be if it was turned into criminal law?

CuddleVendor said,

You want to compare a virus infection on a corporate network to potentially life threatening situation? Really?

I didn't... you did.. I am speaking in terms of monetary damages.

CuddleVendor said,
You want to compare a virus infection on a corporate network to potentially life threatening situation? Really?

Nuclear power plants. Medical equipment firmware. Patient records. Military networks. History has shown they can all be penetrated/tampered with.