Zero-Day Browser Exploit Prompts Urgent Microsoft Fix-It
Microsoft warns users of Internet Explorer about a new browser-based exploit; the fix is temporary and doesn't cover all users.
There's a new zero-day exploit attacking users of Internet Explorer, and Microsoft yesterday (Sept. 17) issued a security advisory and a "fix-it" temporarily patching the underlying software hole for most users.
"Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer," the company's security advisory stated. "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9."
A zero-day exploit is a piece of malware that attacks computers using a security flaw that hasn't yet been patched. Often, security experts find out about the flaw only when they discover the malware, hence the "zero day" tag.
Microsoft didn't get too specific about the new vulnerability, but did say it "exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. ... An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
In somewhat plainer English, that means the vulnerability is a "use-after-free" bug that lets malicious software sneak in by gobbling up memory space other processes have used, then discarded.
MORE: 5 Free PC Security Programs Worth Downloading
The infection could happen via a "drive-by download" or "watering hole" attack, in which users stumble upon or are lured to malicious websites that automatically infect Web browsers.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Unfortunately, as Microsoft warned, many legitimate websites let users and advertisers upload links and other executable content, which could also be used to infect browsers.
"The exploit we analyzed worked only on Windows XP or Windows 7 running Internet Explorer 8 or 9," a Microsoft engineer told Kaspersky Lab's Threatpost security blog.
But Microsoft is taking no chances. The fix-it covers all currently supported versions of Internet Explorer, which include IE 6 through 11 on Windows XP through Windows 8, plus associated server variants.
There is one caveat: The fix-it applies only to 32-bit versions of IE. Users of 64-bit IE will either have to wait for a proper software update or install Microsoft's Enhanced Mitigation Experience Toolkit, which lets you fine-tune exactly what each application can do.
Fortunately, you've probably got 32-bit IE, even if you're using a 64-bit version of Windows. To make sure, open Task Manager by pressing Shift + Control + Esc, and then click on the "Processes" tab. All 32-bit applications will have "*32" appended to their names.
To minimize your exposure to drive-by downloads and similar Web-based exploits, take three simple but important steps.
First, create "limited" user accounts on your computer, and use them for all tasks except installing or modifying software. Use the "administrator" account with full privileges only for those purposes.
Second, turn on your operating system's built-in firewall. If you have a home wireless or Ethernet router, enable the firewall on that as well.
Third, install robust, multi-featured anti-virus software that screens Web links and scans downloads before they're opened. There's decent free anti-virus software, but most of the good stuff has to be paid for.
Follow us @tomsguide, on Facebook and on Google+.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.