New Security Flaw Found In Internet Explorer 6, 7 and 8

Microsoft has confirmed the discovery of a new security flaw that affects Internet Explorer versions 6 through 8. The new flaw is considered critical by Microsoft as it is actively being used by attackers to hijack victims' Windows computers.

The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

In a security advisory issued Dec. 29, Microsoft acknowledged that attacks are taking place. "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8," the alert stated. Jonathan Ness and Cristian Craioveanu, engineers on Microsoft's security team, provided some details on the IE flaw in a separate post to the Security Research & Defense blog. "We're working around the clock on the full security update," Ness and Craioveanu wrote.

Ways to block code execution
The best protection against exploits for this vulnerability is for the vulnerable code to not be present. Internet Explorer 9 or 10 do not include the vulnerable code. And the IE team is working around the clock to develop a security update to address this vulnerability for earlier versions of the product. However, until the update is available, customers using Internet Explorer 8 can block the current targeted attacks by introducing changes to disrupt any of the elements of the exploit. Specifically:

• Disabling Javascript will prevent the vulnerability from being triggered initially.
• Disabling Flash will prevent the ActionScipt-based heap spray from preparing memory such that the freed object contains exploit code.
• Disabling the ms-help protocol handler AND ensuring that Java6 is not allowed to run will block the ASLR bypass and the associated ROP chain.

Another alternative - one likely to have less impact on your browsing experience - is to install EMET and enable it to protect Internet Explorer. EMET’s Mandatory ASLR mitigation will block both the Java6-based and hxds.dll-based ASLR bypass. EMET’s Export Address Filtering (EAF) mitigation blocks the shellcode used in the targeted attacks we have analyzed. EMET 3.5’s ROP mitigation blocks both the Java6 and hxds.dll ROP chains used in the exploits we have analyzed.