A new exploit for IE9 bypasses all security measures in even the latest fully patched version of Windows 7, according to a French security company Vupen.
The exploit uses an unpatched zero-day vulnerability in Internet Explorer 9 and bypasses all the extra security measures of Windows 7. The latest version of Microsoft's operating system, fully up-to-date with service pack 1 (SP1), is vulnerable. The security hole was reported by the French security company Vupen, that previously discovered an IE8 vulnerability in December of last year.
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
Vupen classifies the exploit for IE9 as reliable, which means it's an effective way for cyber attackers to run malicious code of their choosing on Windows 7 PCs. The exploit manages to break through Windows' additional security layers, such as ASLR, DEP and the sandbox (Protected Mode) in IE9.
"The exploit uses two distinct vulnerabilities. The first one allows execution of arbitrary code within the IE9 sandbox. The second one allows the bypass of the sandbox to achieve full code execution," Vupen's CEO Chaouki Bekra told Dutch IDG news site Webwereld.
The risk of this exploit so far is limited: exploit code has not been spotted in the wild. The vulnerabilities were discovered by researchers from Vupen, who made their own exploit. "We confirmed the exploitability of the vulnerability and we created a code execution exploit which works with Internet Explorer 9 on Windows 7 and Windows 7 SP1," Bekra said.
Bekra stressed that the vulnerabilities have not been publicly disclosed. "Access to our code and to the in-depth analysis of the vulnerability is restricted to our government customers who use the information to protect their critical infrastructures," he said.
IE9 is not much in use by governments or even companies. However, the vulnerability is not limited to the latest version of Microsoft's browser. The security hole is also present in IE8, 7 and 6, for which Vupen has not made a working exploit.
Vupen's exploit code is only effective on IE9, which can run on Windows 7 and predecessor Windows Vista. IE9 has recently been released and is not yet being distributed through Windows Update. Microsoft will start that rollout in the coming weeks. An exact date for the wider distribution and installation of the latest Windows browser has not been disclosed.
IE9 currently has a market share of 3.6 percent amongst Windows 7 users, according to figures from market researcher NetApplications. Windows 7 itself has a global market share of nearly 25 percent. Windows XP still has a larger installed base.
Measured across all PC users IE9 has a market share of only 1.04 percent, reports NetApplications. Competitor StatCounter doesn't even show IE9 as a separate browser in its market share overview, but puts it in the category "other."