Attention internet users: you should all stop using Internet Explorer immediately.
This means if you’re logged into your computer as an Administrator an odious hacker could usurp your credentials to delete software, inject Trojans, steal data, create secret accounts or just basically wreak absolute bedlam on your system. The vulnerability has the potential to give a threat agent carte blanche access to your computer.
Technically, how does it work?
This is the way it works:
The attacker creates a malicious website that looks completely legitimate and then fools a user into viewing it .
You visit the nefarious website through Internet Explorer and then you’re owned.
To Microsoft’s credit, it has diligently implemented defense-in-depth strategies to avert this kind of thing.
The Data Execution Prevention technologies inaugurated with Windows XP SP2 and Address Space Layout Randomization introduced in Windows Vista were both designed to guard against common memory exploitation techniques.
But in this case, both are inadequate because this particular exploit employs a use-after-free technique to achieve arbitrary access to memory.
To execute a use-after-free exploit you allocate memory in a special storage area used to store system wide global variables known as the heap.
After allocating memory there, you free the memory and then use it again after freeing it. The memory entries that were ostensibly free are now in use and this is where there is an opportunity to hijack the execution of the application.
Stephen Bradshaw has a really good technical example of how a use-after-free exploit works. It may feel a bit abstruse to non-programmers; however, if you really want to know how this thing works it’s an edifying 45 minute read. Furthermore, you can read the full technical details about how the new Internet Explorer exploit works on Fireeye’s blog.
Who’s behind the mayhem?
The hackers at the helm of this attack are both experienced and motivated.
They are collectively (and generically) known as an Advanced Persistent Threat (APT) and have a history of furtively launching attacks and then disappearing without a trace.
Security Research firm Fireeye has labeled the ominous marks of this threat campaign as “Operation Clandestine Fox” and are advising all users to patch their systems once Microsoft releases one.
What’s the scope?
The vulnerability is officially known as CVE-2014-1776 and affects every single version of Internet Explorer – none is immune:
- IE6 (Windows XP) 5.76%
- IE7 (Windows XP) 1.73%
- IE8 (Windows XP) 22.48%
- IE9 (Windows 7) 13.9%
- IE10 (Windows 7, Windows 8) 11.04%
- IE11 (Windows 7, Windows 8, Windows 8.1) 1.32%
The above percentages indicate the market share of each browser version according to 2013 statistics from NetMarket Share.
You can do the math and see the pie slice is significant; however, I should mention that the threat agents are focusing attacks on IE9, IE10 and IE11 but that still represents 26.26% of the browser market so it’s serious.
Given that the pandemic impacts over a quarter of the browser market and that Microsoft has acknowledged that there is currently no real patch yet, this is big deal.
What should you do?
If you don’t have the liberty of switching from Internet Explorer then it’s imperative that you install the Enhanced Mitigation Experience Toolkit (EMET). Fireeye observed that installing EMET 4.1 or EMET 5.0 breaks or detects the exploit.
Alternatively, you can obviate the threat in IE10 and IE11 by enabling Enhanced Protected Mode (EPM).
EPM works because it effectively blocks the vulnerability by disabling unnecessary internet explorer capabilities.
In Internet Explorer, open Internet Options by clicking the little gear in the upper right corner of the browser.
Choose the Advanced Tab then scroll down to the bottom of the settings list and put a check mark in Enable Enhanced Protected Mode*.
Click OK then reboot to commit your changes.
Keep in mind this may break Adobe Flash but that’s good because Adobe Flash is actually part of the problem. In other words, you can either Enable Enhanced Protected Mode or Disable the Adobe Flash plugin to mitigate the threat.
Update! (04/29/14 09:02am)
Today Adobe released a patch that plugs the vulnerability in Explorer.