If Microsoft calls a vulnerability “critical,” warns that it affects all versions of Windows, and is prepared to issue a patch outside of its normal Patch Tuesday monthly schedule, you should sit up and listen.
Today, Microsoft has issued an advisory about a zero-day vulnerability, dubbed CVE-2015-2502, that could allow an attacker to hijack control of your computer via Internet Explorer – just by you visiting a boobytrapped webpage.
Microsoft’s new browser, Edge, which ships with Windows 10, is not at risk through the vulnerability. But the same cannot be said for all currently supported versions of Internet Explorer, including version 11.
In its advisory, Microsoft warns that vulnerable computers can be exploited just by visiting maliciously-crafted webpages using Internet Explorer, with no further user interaction is required.
Most likely, attempts would be made to redirect potential victims to boobytrapped websites using spammed-out links, or by tricking users into opening an unsolicited email attachment.
Microsoft’s advisory states:
“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”
“The CVE-2015-2502 memory corruption vulnerability exists because IE does not properly manage certain objects in memory. The vulnerability is rated critical for Windows non-Server operating systems,” says Lane Thames, Software Development Engineer at Tripwire. “However, the vulnerability is rated moderate for Windows Server platforms including Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.”
Once a computer has been successfully compromised, the attacker would have the same user rights as the current user – meaning that if you are logged in with admin rights, the hacker could take complete control of your PC. Thereafter, it would be simple for the attacker to install further malware, steal information, and make other changes to your settings to compromise security.
It’s not yet clear whether the zero-day vulnerability is being actively exploited by malicious hackers, but it might be wise to assume that it is if you care about security.
Of course, not all businesses will be able or willing to roll-out an Internet Explorer security patch instantaneously across its enterprise, and those Microsoft customers will no doubt be pleased to hear that Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) mitigates against the vulnerability, although – of course – this should only be considered a temporary measure, and a proper security patch is what is ideally required.
This is far from the first occasion when EMET has provided an additional level of defence for an organisation, and it’s a shame that so few companies appear to be aware of this powerful tool.
The secret to protecting your business is to adopt a layer defence, using a variety of technologies.
After all, there’s no indication that zero-day vulnerabilities are drying up.
Just last month, Microsoft was forced to release a separate emergency out-of-band security patch, this time addressing a fault in how the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts.
A zero-day vulnerability, incidentally, that was developed by the Italian spyware firm Hacking Team, and only became public after they themselves were hacked.
As long as there are people in the business of finding and exploiting zero-day vulnerabilities, we’re likely to keep on finding ourselves installing emergency patches.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.