The latest Internet Explorer zero-day vulnerability, which was discovered by researcher Eric Romang, is causing quite a flap in the security community. It has caused even more excitement at Microsoft.
Although Redmond says few users have been affected, it has responded relatively swiftly to the problem, issuing a temporary patch for the flaw, and promising to roll out an automatic update on Friday.
Why the Need for Speed?
A war has been raging between browser vendors for some time, resulting in vendors speeding up development, putting in new features, and, in essence, pulling out all the stops to win.
For example, when Statcounter indicated in May that Google Chrome had beaten out IE for the Number One spot in the browser market, Redmond countered by citing figures from Netmarketshare, which showed IE still in the lead.
That puts the issue of user defection right up there on the list of problems weighing on browser vendors’ minds.
“The differences in performance between IE and other browsers, particularly Google’s Chrome, could be enough to make converts out of even the most stalwart Microsoft fans,” Charles King, principal analyst at Pund-IT, told TechNewsWorld. “That may be one of the reasons Microsoft’s working so quickly on a fix.”
So, suggestions by security experts that consumers switch to other browsers, at least until the problem is fixed, and an advisory from the German government to consumers to stop using IE galvanized Microsoft into action.
Advice for Users
Switching to another browser “is warranted,” Joe McManus, software engineering manager at Webroot, told TechNewsWorld. Because IE “is a large executable with many features [and] this attack is complex, once [the browser] is patched, it does not mean the end of vulnerabilities in IE.”
However, it “would not hurt to deploy” Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which provides additional security for Windows operating systems, McManus remarked.
Hopping to another browser won’t necessarily keep users safe. “It goes without saying that, whatever browser users decide to go with, it’s imperative to keep [it] and [its] plug-ins up-to-date with the latest security patches,” Liam O Murchu, Manager of Operation, Symantec Security Response, told TechNewsWorld.
Nor will deploying Fix It be enough to safeguard users who decide to remain with IE. “A multilayered approach to security is really the only way to ensure safety online,” O Murchu said. This entails keeping systems up to date, using security solutions that incorporate multiple detection methodologies, putting up a firewall, and employing safe browsing features.
The IE Flaw
The vulnerability occurs when an HTML page is rendered, Romang, who discovered the flaw, said. The CMshtmlEd object gets deleted in an unexpected manner but the same memory is reused later in the CMshtmlEd:Exec() function. This leads to a use-after-free condition.
The flaw can corrupt memory so hackers can execute malicious code remotely.
It’s being exploited by a four-component attack. Two, which Romang called exploit.html and protect.html, are recognized as HTML files. A third, Moh2010.swf, is recognized as a Macromedia Flash Player Movie. The fourth, 111.exe, is recognized as an Autodesk FLIC image file.
Romang found the exploit in a folder on one of the servers used by hackers believed to belong to the notorious “Nitro” gang, which has attacked the chemical industry in the past. Its most recent exploit is the Java SE 7 zero-day exploit that struck in August.
Romang didn’t accuse the Nitro gang outright, although other security experts have subsequently done so.
The flaw is present in all versions of the IE browser from IE 6 through 9.
“While the vast majority of people are not impacted by this issue, yesterday Microsoft provided a temporary fix that can be downloaded with one easy click and offers immediate protection,” Yunsun Wee, director of Microsoft’s Trustworthy Computing Group, told TechNewsWorld in a prepared statement. “We will also provide a permanent solution for customers that will be automatically enabled on Friday, Sept. 21, 2012.”