Microsoft IE under Hack Attack: Zero-Day Exploit Impacts over 25 Percent of Browsers

By Peter Bernstein April 28, 2014

Unfortunately, when it comes to cyber attacks there is not nook or cranny that those with malicious intent won’t explore and then exploit when vulnerabilities are found.  Such is the case with the revelation over the weekend that many of the versions of the popular, especially with government agencies, Microsoft Internet Explorer (IE) browser have a security flaw. 

Discovered by security firm FireEye and discussed on its blog on April 26, the vulnerability affects IE6 through IE11 (which represents according to researchers at NetMarket Share north of 50 percent of the world’s actively use browser population ), but attacks are targeting IE9 through IE11 (roughly 25 percent of the market). As FireEye notes this is a “zero-day” attack that bypasses both ASLR and DEP, and there is an active and ongoing campaign by the bad guys that goes under the name “Operation Clandestine Fox.”  Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.

Be careful out there and get ready to patch things up

Here is what you need to know about this bad boy.  As the Microsoft advisory FAQ section notes:

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

How could an attacker exploit the vulnerability? 
An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.

As of this time there is no fix.  Microsoft is investigating the problem and has promised an alert once there is a remedy. 

Both Microsoft and FireEye have a series of mitigation recommendations that IT departments should take while waiting for a security update.  Most of the focus is on making sure your firewall is on and updated and that you have up-to-date antimalware software as well.  Plus, both are recommending the use of the Enhanced Mitigation Experience Toolkit (EMET).

The worst of the potential threat is obviously an issue for your IT department who can follow the recommendations until a permanent fix is in place.  For us mere mortals unless you have to use IE you might wish to use another browser until we get the all clear from Microsoft and you get notification that a patch is ready for download. 




Edited by Maurice Nagle
SHARE THIS ARTICLE
Related Articles

Verizon Needs Tough Love on Copper Policies

By: Doug Mohney    1/29/2015

New regulation on broadband and telecommunications providers is at top of mind here at ITEXPO. Jeff Pulver, founder and chief executive of pulver.com …

Read More

OTT Video Set to Top $6 Billion in 2019

By: Tara Seals    1/29/2015

When it comes to over-the-top (OTT) video, it has grown not only in developed regions but also in emerging markets, both as an alternative and complem…

Read More

Digium CEO: Businesses at Every Level Can Get Started with UCaaS

By: Allison Boccamazzo    1/29/2015

Digium CEO Danny Windham made one thing clear during his keynote presentation at ITEXPO 2015: Businesses of all kinds, at every developmental level, c…

Read More

When Gaming Isn't a Game: 3 Best Practices to Protect Your Hosting Service Against DDoS Attacks

By: Joe Eskew    1/28/2015

The unprecedented number of security breaches, hacks and DDoS attacks on gaming communities, software manufacturers and even Hollywood studios grew to…

Read More

No Hackers Took Down Facebook; Hour's Outage Mostly Internal

By: Steve Anderson    1/28/2015

Facebook released a statement not long after the outage had hit, revealing that the cause of the shutdown was not "...the result of a third-party atta…

Read More