Criminals are using a new Internet Explorer security hole to attack Windows computers in targeted attacks, though the vulnerability could end up being more widely exploited. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are. It’s great to see that the latest versions of IE are immune, but this new vulnerability is still bad news for Windows XP users and earlier since they cannot upgrade to more recent versions of Microsoft’s browser.

Update on December 31: Microsoft releases temporary fix for vulnerability in IE6, IE7, and IE8, security patch coming soon

“Microsoft released Security Advisory 2794220 to provide customer awareness of a vulnerability affecting Internet Explorer versions 6, 7, and 8,” Dustin Childs of Microsoft Trustworthy Computing told The Next Web. “While we actively work to develop an easy, one-click Fix it solution and security update for this issue, we strongly encourage that customers apply the mitigations and workarounds described in the advisory.”

The IE zero-day flaw first came to light after report surfaced that the Council on Foreign Relations (CFR) had been hacked. A closer look by security firm FireEye led to the discovery that the CFR site had been compromised and was hosting malicious content as early as on December 21.

“The Council on Foreign Relations’ website security team is aware of the issue and is currently investigating the situation,” CFR spokesperson David Mikhail told The Washington Free Beacon on Thursday. “We are also working to mitigate the possibility for future events of this sort.”

The malicious JavaScript in question only served the exploit code to browsers whose language was either English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian. Once the initial checks passed, the JavaScript proceeded to load an Adobe Flash file named “today.swf.” This file ultimately triggered a heap spray in IE and downloaded a file named “xsainfo.jpg.”

More details of the vulnerability are available at the CERT Knowledgebase ( VU#154201). Here’s the full technical description:

Microsoft Internet Explorer contains a use-after-free vulnerability in the mshtml CDwnBindInfo object. Specially-crafted JavaScript can cause Internet Explorer to create a CDoc object that contains a CDwnBindInfo object. This object may be freed without removing its pointer, resulting in a state where Internet Explorer may attempt to CALL an invalid memory address. Combined with heap spraying or other techniques, an attacker may be able to place arbitrary code at this address. This vulnerability is currently being exploited in the wild, using Adobe Flash to achieve a heap spray and Java to provide Return Oriented Programming (ROP) gadgets.

Since there is no patch available, the note recommends a few workarounds: use the Microsoft Enhanced Mitigation Experience Toolkit (EMET), disable the Flash ActiveX control in IE, and disable Java in IE. We recommend avoiding the use of IE8 or earlier by either upgrading to IE9/IE10, or simply using a different browser such as Google Chrome.

Update on December 31: Microsoft releases temporary fix for vulnerability in IE6, IE7, and IE8, security patch coming soon

Image credit: Miguel Saavedra