The Department of Homeland Security's US-CERT team has issued an official advisory, warning Windows customers that they should not use any modern version of Internet Explorer, from IE6 to IE11. It's important to note that Microsoft's Security Advisory 2963983 lists the exploit as a problem even with IE11 running on Windows 8.1 and Windows RT 8.1. It isn't clear from Microsoft's list if the problem also affects Windows 8, Windows RT, and/or Windows 8.1 Update, although Server 2003, Server 2008, 2008 R2, 2012, and Server 2012 R2 running with their default settings aren't vulnerable.
As Microsoft notes, this is a drive-by class security hole: Your machine can be compromised if you simply visit an infected site.
FireEye first caught and dissected the vulnerability, publishing an extensive examination on Saturday:
The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP... Threat actors are actively using this exploit in an ongoing campaign which we have named "Operation Clandestine Fox"... for many reasons, we will not provide campaign details. But we believe this is a significant zero day as the vulnerable versions (IE 9 thru 11) represent about a quarter of the total browser market.
The attack vector is quite ingenious in loading a Flash SWF file, using it to selectively spray memory, and looping back to a JavaScript program in IE. The program takes advantage of the IE bug to run a complex series of programs that ultimately lead to the breach. Flash itself doesn't contain the bug, but it's a handy foil for the IE exploit.
FireEye notes that disabling the Flash plug-in in IE will prevent this particular exploit from functioning. Since Flash is baked into IE10 and IE11, it appears that disabling Flash will only work in IE6 though IE9. But note that the security hole still exists in IE, even without Flash. It's entirely possible that someone will come up with a nearly identical exploit that uses some other handy fixed-size heap allocation.
Microsoft recommends using the Enhanced Mitigation Experience Toolkit (EMET), but nobody is saying -- or may know for sure -- whether EMET definitely plugs the hole. FireEye says EMET has blocked the specific exploit it's examining on all of its machines.
As for where this leaves Windows XP users, while the general exploit approach apparently works on XP systems -- as suggested by the inclusion of Server 2003 SP 2 on Microsoft's "affected programs" list -- FireEye hasn't uncovered in-the-wild exploits with IE6 thru IE8. (Also, XP won't run IE9, IE10, or IE11.) Clearly, XP users would be foolish to be running IE right now, but that's been true for many years.
Will Microsoft patch IE on XP systems? It's an interesting question, because the flaw is in IE, not XP. A related question: If Microsoft fixes IE6, IE7, and IE8 running on Server 2003 SP 2, will the same fix work on XP?
Exciting times -- we may be witnessing the start of the Robin XP Hood patching brigade I mentioned earlier this month. I wonder if there are a few Merry Men (and women) willing to incur the wrath of the Sheriff of Nottingham.
This article, "US CERT and KB 2963983: Don't use drive-by-enabled Internet Explorer," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.