Microsoft is predicted to release an out-of-band patch for the zero-day vulnerability in Internet Explorer.
Despite it releasing an advisory regarding the issue, following reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions. Ross Barrett from Rapid 7 recommended taking immediate action to mitigate the risk, especially as the exploit code is now widely available.
He said: “I personally expect to see an out-of-band patch from Microsoft before October’s patch Tuesday, but that is just speculation. Exploitation in the wild still seems limited to IE 8 and 9, and the exploit which is circulating seems to also rely on MS Office to be present (not clear why, as yet).
“However, all versions of IE are affected by this issue, which means that this vulnerability has likely been present since IE 6 was released in 2001. The fact that it is getting attention now is either due to a noticeable volume or impact of active exploitation in the wild. It may have just been discovered last week, or it may have been in the private toolkit of the world’s best malware writers for more than a decade.”
He commented that as the exploit code is in the wild, it is only a matter of time before it appears in commercial malware packs and broader exploitation, and recommended using a browser other than Internet Explorer.
“Users who must use Internet Explorer should install all available Internet Explorer patches, and only use the latest versions available,” he said. “Neither of those things will directly help with this specific issue, but are good practices and pre-requisites for the following actions to be at all effective.”
Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing said that the issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. “This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message,” he said.
Barratt said: “The mantra ‘I only visit safe sites’ is a false promise of protection, as it’s far too easy to misdirect, redirect, or otherwise cause a user to interact with a site that they are not expecting to. Legitimate sites may also be compromised to host malware serving this exploit.”
