On Saturday, April 26, 2014, Microsoft Corp. reported to the United States Computer Emergency Readiness Team (a division of the Department of Homeland Security) that Microsoft Internet Explorer versions 6-11 had come under attack! Malicious hackers were exploiting a use-after-free vulnerability that could allow unauthorized remote code execution. This could lead to the complete compromise of an affected computer system.
US-CERT highly recommends that users and administrators enable Microsoft EMET (Enhanced Mitigation Experience Toolkit) where possible (Windows 7 and above). For those unable to utilize the toolkit, US-CERT highly recommends using a different web-browser such as Mozilla Firefox or Google Chrome. If you MUST use Internet Explorer, go to internet options > security and move the slider to its highest setting. Also avoid any website that might be even remotely questionable or malicious. Attacks can also come from websites that accept or host user provided content and/or advertisements.
The vulnerability, dubbed CVE-2014-1776 has the potential to give hackers the same user rights as the current user. It is especially devastating to those 28% of world-wide computers still using Windows XP as Microsoft has discontinued support for that OS. Google has promised XP Chrome users that they will have browser support until April, 2015. Mozilla has not announced any end-of-support date for XP Firefox users. Avast (free anti-viral) says that XP is under systemic attack 6 times greater that of Windows 7.
While there is no apparent Adobe Flash vulnerability, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is possible because Flash runs within the same process space as the Internet Explorer browser. Please note that exploitation without Flash is entirely possible. By convincing or luring a user to view a specially crafted HTML document, (a web page, or HTML email message or attachment) an attacker may be able to execute an arbitrary code and gain remote access to the user’s computer with full permissions and rights.
By default, Internet Explorer on Windows Servers 2003, 2008, 2008 R2, 2012 and 2012 R2 runs in a restricted mode (Enhanced Security Configuration) that mitigates the vulnerability. By default, Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the Restricted Sites Zone, which disables script and ActiveX controls. This significantly reduces an attacker’s ability to utilize the vulnerability. If a user clicks on a link in the email message, they could still possibly be vulnerable. Users who have fewer user rights on a system will be less impacted that users who utilize full administrative user rights.
There is no way for an attacker to FORCE a user to visit these websites from which they may be attacked, but the attackers are very creative about luring and tricking users into visiting these websites. If it seems “too-good-to-be-true” leave it ALONE! If a user will visit questionable websites that offer free downloads of toolbars and other unneeded and unnecessary stuff, leave it ALONE. DO NOT EVER OPEN ATTACHEMENTS IN JUNK EMAIL! Please use some common sense.
As of the writing of this blog article, Microsoft has still not decided if they will issue an emergency patch or wait for the next "Patch Tuesday" which will be May 13th, 2014.