Serious Internet Explorer flaw puts XP users especially at risk--code-execution hole in IE versions 6 through 11

Active 0day attack hijacking IE users threatens a quarter of browser market
No patch available yet for critical bug affecting all supported versions of IE.

Attackers are actively exploiting a previously unknown vulnerability in all supported versions of Internet Explorer that allows them to surreptitiously hijack vulnerable computers, Microsoft warned Sunday.

The zero-day code-execution hole in IE versions 6 through 11 represents a significant threat to the Internet security because there is currently no fix for the underlying bug,

which affects an estimated 26 percent of the total browser market. It's also the first significant vulnerability to target Windows XP users since Microsoft withdrew support for that aging OS earlier this month. Users who have the option of using an alternate browser should avoid all use of IE for the time being. Those who remain dependent on the Microsoft browser should immediately install EMET, Microsoft's freely available toolkit that greatly extends the security of Windows systems.

The vulnerability is formally indexed as CVE-2014-1776. Microsoft has blog posts here, here, and here that lay out bare bones details uncovered at this early stage in its investigation. Although there is no exploited vulnerability in Adobe Flash, disabling the browser add-on will also neutralize attacks, analysts at security firm FireEye Research Labs wrote in a separate blog post published Sunday. Disabling vector markup language support in IE also mitigates attacks.

A known gang of malicious hackers is already exploiting the previously unknown use-after-free vulnerability in targeted attacks, FireEye researchers said. The in-the-wild attacks the researchers observed target IE versions 9, 10, and 11 and work when victims visit booby-trapped websites. To bypass address space layout randomization and data execution prevention—which are security mitigations Microsoft designed to make it harder for hackers to remotely execute malicious code—the attacks abuse the presence of the vector markup language and Adobe Flash. The group carrying out the attacks is known to be behind other "advanced persistent threats," which use an arsenal of zero-day attacks to penetrate specific corporations and governments to siphon proprietary data and sensitive information.

"The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past," the FireEye analysts wrote. "They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure. They have a number of backdoors including one known as Pirpi that we previously discussed here. CVE-2010-3692, then a 0-day exploit in Internet Explorer 6, 7, and 8, dropped the Pirpi payload discussed in this previous case."

FireEye is withholding further details of the attack campaign, presumably to prevent copycat attacks or protect the targeted parties.

While the current attacks are limited to extremely targeted individuals or organizations, it's not uncommon for vulnerabilities to become much more widely exploited in the hours or days following widespread disclosure. End users should exercise caution, at least until Microsoft and other third-party researchers have time to conduct a more thorough investigation. As already stated, the best defense for now is to avoid all use of IE whenever possible. Barring that, IE users should ensure EMET 4.1 or 5.0 is installed and that all mitigations are enabled and that VML and Flash are disabled.

http://arstechnica.com/security/201...rstechnica/index+(Ars+Technica+-+All+content)


============================================
==========================================
========================================

Serious Internet Explorer flaw puts XP users especially at risk
We hope that you heeded our advice to finally ditch Windows XP in favor of a more modern operating system, because there's a new security exploit that'll leave stubborn XP users in the cold. In a security alert released on Saturday, Microsoft reports that there's a serious vulnerability in Internet Explorer 6 through 11 that could allow hackers to take over your computer remotely if you happen to visit a malicious website. According to security firm FireEye, it has already found evidence of an attack that targets IE 9 through 11 that uses a well-known Flash exploitation technique to gain access to your computer's memory. Microsoft has already said it plans to roll out an IE security update for all modern versions of Windows, but if you're using XP, well, you're out of luck, as support for that 12-year-old OS ended a few weeks ago.
In the meantime, Microsoft suggests enabling Enhanced Protection Mode if you're using Internet Explorer 11 on Windows 7 for x64-based systems and all Windows 8 machines. Other workarounds include installing a free security tool called EMET (Enhanced Mitigation Experience Toolkit), adjusting security settings to High and disabling Active Scripting. To get even more tips on how to get around the vulnerability before Microsoft rolls out the update, hit the source links below. Or just, you know, use another browser, at least for the time being.
http://www.engadget.com/2014/04/27/internet-explorer-security-exploit/?ncid=rss_truncated

 

UPDATE: The U.S. Department of Homeland Security advised computer users to consider using alternatives to Microsoft Corp’s Internet Explorer browser until the company fixes a security flaw that hackers have used to launch attacks.

The United States Computer Emergence Readiness Team said in an advisory released on Monday morning that the vulnerability in versions 6 to 11 of Internet Explorer “could lead to the complete compromise of an affected system.”

***

BOSTON — Microsoft is rushing to fix a bug in its widely used Internet Explorer Web browser after a computer security firm disclosed a flaw over the weekend, saying hackers have already exploited it in attacks on some U.S. companies.

U.S. Government Suggests that You Switch from Internet Explorer

PCs running Windows XP will not receive any updates fixing that bug when they are released, however, because Microsoft stopped supporting the 13-year-old operating system earlier this month. Security firms estimate that between 15 and 25 percent of the world’s PCs still run Windows XP.

Microsoft disclosed on Saturday its plans to fix the bug in an advisory to its customers posted on its security website, which it said is present in Internet Explorer versions 6 to 11. Those versions dominate desktop browsing, accounting for 55 percent of the PC browser market, according to tech research firm NetMarketShare.

Cybersecurity software maker FireEye said that a sophisticated group of hackers have been exploiting the bug in a campaign dubbed “Operation Clandestine Fox.”

FireEye, whose Mandiant division helps companies respond to cyber attacks, declined to name specific victims or to identify the group of hackers, saying that an investigation into the matter is still active.

“It’s a campaign of targeted attacks seemingly against U.S.-based firms, currently tied to defense and financial sectors,” FireEye spokesman Vitor De Souza said via email. “It’s unclear what the motives of this attack group are, at this point. It appears to be broad-spectrum intel gathering.”

He declined to elaborate, though he said one way to protect against them would be to switch to another browser.

Microsoft said in the advisory that the vulnerability could allow a hacker to take complete control of an affected system, and then do things such as viewing, changing, or deleting data; installing malicious programs; or creating accounts that would give hackers full user rights.

FireEye and Microsoft have not provided much information about the security flaw or the approach that hackers could use to figure out how to exploit it, said Aviv Raff, chief technology officer of cybersecurity firm Seculert.

Yet other groups of hackers are now racing to learn more about it so they can launch similar attacks before Microsoft prepares a security update, Raff said.

“Microsoft should move fast,” he said. “This will snowball.”

Still, he cautioned that Windows XP users will not benefit from that update since Microsoft has just halted support for that product.

The software maker said in a statement to Reuters that it advises Windows XP owners to upgrade to one of two most recently versions of its operating system, Windows 7 or 8.

(Reporting by Jim Finkle; editing by Diane Craft.)

https://www.yahoo.com/tech/new-security-flaw-affects-all-versions-of-internet-84085229159.html

 

ive been using an alternative to ie for years.thanks for the info ireland.

 

Microsoft’s decision to patch Windows XP is a mistake

Microsoft officially ended support of the twelve-and-a-half-year-old Windows XP operating system a few weeks ago. Except it apparently didn't, because the company has included Windows XP in its off-cycle patch to fix an Internet Explorer zero-day that's receiving some amount of in-the-wild exploitation. The unsupported operating system is, in fact, being supported.

Further Reading
Emergency patch for critical IE 0-day throws lifeline to XP laggards, too

Update comes as in-the-wild attacks get meaner, target XP for first time.
Further Reading
The XPocalypse is upon us: Windows XP support has ended

Without patches, it's inevitable that systems are going to get pwned.
Explaining its actions, Microsoft says that this patch is an "exception" because of the "proximity to the end of support for Windows XP."

The decision to release this patch is a mistake, and the rationale for doing so is inadequate.

A one-off patch of this kind makes no meaningful difference to the security of a platform. Internet Explorer received security patches in 11 of the last 12 Patch Tuesdays. Other browsers such as Chrome and Firefox receive security updates on a comparable frequency.

Web browsers are complex. They're necessarily exposed to all manner of potentially hostile input that the user can't really control, and as such, they're a frequent target for attacks. They need regular updates and ongoing maintenance. The security of a browser is not contingent on any one bugfix; it's dependent on a continuous delivery of patches, fixes, and improvements. One-off "exceptions" do not make Internet Explorer on Windows XP "safe." There's no sense in which this patch means that all of a sudden it's now "OK" to use Internet Explorer on Windows XP.

And yet it seems inevitable that this is precisely how it will be received. The job of migrating away from Windows XP just got a whole lot harder. I'm sure there are IT people around the world who are now having to argue with their purse-string-controlling bosses about this very issue. IT people who have had to impress on their superiors that they need the budget to upgrade from Windows XP because Microsoft won't ship patches for it any longer. Microsoft has made these IT people into liars. "You said we had to spend all this money because XP wasn't going to get patched any more. But it is!"

Bosses who were convinced that they could stick with Windows XP because Microsoft would blink are now vindicated.

After all, if Microsoft can blink once, who's to say it won't do so again? The next Patch Tuesday patch for Internet Explorer is almost certainly going to include flaws that affect Internet Explorer on Windows XP: the nature of software means that most flaws in Internet Explorer 7 (supported for the remainder of Windows Vista's life cycle) and Internet Explorer 8 (tied to Windows 7's life cycle) will also be flaws in Internet Explorer 7 and 8 when run on Windows XP. Many of them will also hit Internet Explorer 6.

In fact, this is precisely the pattern we've seen with this flaw. The first in-the-wild exploits hit only Internet Explorer 9, 10, and 11, on Windows 7 and 8. As security firm FireEye reports, it's only later that attacks for (unsupported) Internet Explorer 8 on Windows XP materialized.

Further Reading
Apple users left exposed to serious threats for weeks, former employee says

Patch delay comes two months after previous lapse for critical "goto fail" fix.
Virtually every time Microsoft updates one of its remaining supported platforms, the company will also simultaneously be disclosing a zero-day vulnerability for Windows XP (something Apple has recently been criticized for doing). The patch list for May's Patch Tuesday—less than two weeks away—isn't out yet, but based on Internet Explorer's track record, it's highly likely that it's going to get updated, and it's highly likely that these updates will reveal exploitable flaws on Windows XP.

By Microsoft's "proximity" argument, those flaws should be patched on Windows XP, too. In fact, it's hard to see a time when "proximity" won't be an issue. It's inevitable that Patch Tuesday will reveal exploitable flaws for the unsupported operating system, and it's similarly inevitable that at least some of those flaws will get exploited. With Windows XP's market share as high as it is, there was never any realistic chance that an exploit would not materialize in "proximity" to the end of support.

People using Windows XP are going to be exploited through known but unpatched vulnerabilities. That is what the end of support means. That is its unavoidable consequence. For as long as Windows XP has a substantial number of users, there will be calls for "one more patch" to be released. There's nothing special about this latest flaw that warrants special treatment, and the next weeks and months will see the disclosure and exploitation of many more similar flaws. If this bug was fixed, all those bugs should get fixed, too.

The zero-day flaw and its exploitation is unfortunate, and Microsoft is likely smarting from government calls for people to stop using Internet Explorer. The company had three ways it could respond. It could have done nothing—stuck to its guns, maintained that the end of support means the end of support, and encouraged people to move to a different platform. It could also have relented entirely, extended Windows XP's support life cycle for another few years, and waited for attrition to shrink Windows XP's userbase to irrelevant levels. Or it could have claimed that this case is somehow "special," releasing a patch while still claiming that Windows XP isn't supported.

None of these options is perfect. A hard-line approach to the end-of-life means that there are people being exploited that Microsoft refuses to help. A complete about-turn means that Windows XP will take even longer to flush out of the market, making it a continued headache for developers and administrators alike.

But the option Microsoft took is the worst of all worlds. It undermines efforts by IT staff to ditch the ancient operating system, and undermines Microsoft's assertion that Windows XP isn't supported, while doing nothing to meaningfully improve the security of Windows XP users. The upside? It buys those users at best a few extra days of improved security. It's hard to say how that was possibly worth it.

http://arstechnica.com/security/201...rstechnica/index+(Ars+Technica+-+All+content)