A vulnerability in Microsoft Internet Explorer (IE) browser is leaving thousands of businesses open to targeted attacks.
Microsoft group manager of response communications Dustin Childs revealed the threat in a security advisory, confirming that hackers are actively exploiting a weakness in the browser.
"Today we released Security Advisory 2887505 regarding an issue that affects IE. There are only reports of a limited number of targeted attacks specifically directed at IE8 and 9, although the issue could potentially affect all supported versions," Childs said.
"This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message."
Since being revealed numerous security vendors have released their own advisories warning of the potential damage an attack targeting the vulnerability could do. noted the vulnerability could be used for a variety of purposes by hackers.
An advisory by the SANS Internet Storm Center (ISC) said: "A targeted attack that gets a user to view a malicious webpage (or malicious content on an otherwise safe webpage) could lead to memory corruption that could execute arbitrary code with the permissions of the logged-in user," said the ISC's advisory.
Childs said IE users should deploy workaround fixes to help temporarily plug the vulnerability while Microsoft works on a more permanent fix. "While we are actively working to develop a security update to address this issue, we encourage IE customers concerned with the risk associated with this vulnerability to deploy the following workarounds and mitigations from the advisory," wrote Childs.
The recommendations included installing a "Fix it" CVE-2013-3893 MSHTML Shim Workaround, adjusting the internet and local intranet security zone settings to high and configuring IE to alert the web user before running Active Scripting. SANS welcomed the recommendations, urging businesses using IE to follow Microsoft's advice as soon as possible.
"Two suggested actions are provided by Microsoft, apply the Fix it [solution] provided by Microsoft or deploy Enhanced Mitigation Experience Toolkit (EMET) 3.0/4.0, which provides generalised protection of memory (and probably not a bad idea to deploy anyway). Note the Fix it only applies to 32-bit versions of IE," said the ISC's advisory.
Even with the workarounds, many members of the security community have warned until a full patch is released, the vulnerability will cause trouble. F-Secure security analyst Sean Sullivan told V3 he expects hackers to continue taking advantage of the vulnerability while Microsoft works on its patch.
"If it isn't bad now it will be soon. Microsoft writes that IE8 and IE9 are currently being targeted in limited attacks, but it looks as if all versions of IE are vulnerable. Currently, approximately 58 percent of our top-ten customer detections are of exploits, and the bulk of those are Java-based. Targeting the browser rather than a third-party plugin always makes for a better attack," he said.
"Exploit kit vendors will undoubtedly rush to add an exploit based on this vulnerability. There are still lots of Windows XP users in the world and they are limited to IE8. This could warrant an out-of-band patch. Our guys are already working on a good generic exploit detection. It will be needed."
The new vulnerability is one of many recently found in IE. Microsoft issued a report in May confirming that hackers had targeted a zero-day exploit in Internet Explorer 8 (IE8), during attacks on the US Department of Labor (DOL) and the Department of Energy (DOE) websites.
Despite the troubling news, since the launch of its Trustworthy Computing (TwC) department Microsoft has a strong track record at plugging vulnerabilities, usually releasing fixes on the second Tuesday of every month.
Dust storm on Titan only the third Solar System body where such storms have been observed
New technique could enable quantum computers to scale-up to millions of qubits
Systrom and Krieger taking time off "to explore our curiosity and creativity"
Comcast's £29.7bn winning bid more than twice the £13.7bn Rupert Murdoch valued Sky at just eight years ago