The first zero-day flaw to affect Windows XP users has been disclosed.
Affecting Internet Explorer versions from six to the most recent 11, the vulnerability is a remote code execution vulnerability which exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.
According to an advisory,an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. As support for IE6 ended with the end of support for Windows XP at the start of April, this will mean that this flaw will not be fixed for this browser and operating system.
Microsoft said: “On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
Originally discovered and disclosed by FireEye, it said that it affects IE6 through IE11, but the attack is targeting IE9 through IE11. “This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability,” it said.
“We believe this is a significant zero-day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available. Collectively, in 2013, the vulnerable versions of IE accounted for 26.25 per cent of the browser market,” its blog post said.
“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”
Testing by Symant
ecconfirmed that the vulnerability crashes Internet Explorer on Windows XP. It said: “However, Microsoft stated that versions of its Enhanced Mitigation Experience Toolkit (EMET) 4.1, which is supported by Windows XP and above can mitigate this Internet Explorer vulnerability. Besides using EMET, Symantec Security Response encourages users to temporarily switch to a different Web browser until a patch is made available by the vendor.”
FireEye said that using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. “EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests. Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10. Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.”
Ross Barrett, senior manager of security engineering, at Rapid7, said: “This zero-day is the first of what will inevitably be many issues to affect Windows XP in the post XP era. Users still on XP have no choice but to upgrade in order to receive protection. Of course, for Microsoft, Windows XP is already all but forgotten, in that, since it is no longer supported, it is not listed in the vulnerable systems.
“Overall, this issue isn’t all the different from any number of IE zero-days, we usually get three or four every year, except that it’s the first in the post-XP world. All the more reason for users to move to modern, supported, operating systems where advanced mitigation techniques are available.”