The second zero-day exploit in as many weeks. Security researcher Eric Romang, who was investigating the Java zero-day that caused worldwide panic a few weeks ago (see previous article here) discovered a second zero-day flaw affecting Microsoft’s Internet Explorer browser. The “Nitro” hacking group, who Mr. Romang was monitoring, were none to happy to have their previously undisclosed zero-day outed and quickly removed the files from the suspect server and replaced them with a text file containing the word “eromang” (which is the researcher’s Twitter handle).
As of the time of this writing, the flaw remains unpatched and exploits have been noted in the wild. Security experts warn that exploitation of the vulnerability could skyrocket now that working exploit code has been incorporated into the Metasploit framework and will likely make it into virus kits, such as Blackhole and Phoenix.
Until a patch is released, we recommend that clients and their employees limit internet usage to a minimum and consider using an alternative browser such as Mozilla Firefox or Google Chrome. Users should also ensure that antivirus software is installed and properly updated. Many antivirus products and IPS signatures have been updated to identify both the original exploit and Metasploit variant, however these should be used only as a stop-gap measure as new variations of the malware could surface that remain undetectable.
The Microsoft advisory relating to the vulnerability indicates that it can be temporarily mitigated with the EMET tool as well as tightening IE security zone settings, however researchers warn that the workarounds may not be completely effective and may also cause problems with some applications that rely on IE for functionality. Some bloggers have also recommended uninstalling Java as a mitigation tactic, however this recommendation only affects the Metasploit version of the exploit for IE 8 on Windows Vista / 7 and IE 9 on Windows 7. That being said, it is still a good idea to remove Java where possible to reduce the attack footprint.
The Metasploit version of the exploit uses a ROP chain based on JRE to bypass security measures on these versions of Windows; note XP and IE7 on Vista do not rely on JRE:
Below is a screenshot of a compromised Windows XP SP3 machine with no Java installed:
As we have been unable to find the full source code for the original exploit, we have been unable to determine whether it relies on Java being installed.
UPDATE – 9/19/2012: Microsoft indicates in this advisory that an out-of-band patch will be released soon (prior to the next patch Tuesday). Unfortunately, it is unclear at this pointif the fix will be distributed as a patch through the Microsoft Update framework. If released only as a standalone fix, the update will require manual download and installation on workstations making deployment in an enterprise environment difficult.
UPDATE – 9/21/2012: Microsoft advisory releases a standalone “fix-it” utility which is available here and further indicates that an out-of-band patch through the Microsoft Update channel will be released today. This is good news for enterprise environments.