A new zero-day vulnerability in certain versions of Internet Explorer has been identified and is being used in targeted attacks. Microsoft has not released an official bulletin acknowledging this vulnerability yet, but has spoken to news sites and confirmed that both Internet Explorer 9 and 10 are affected. The newest version, Internet Explorer 11, does not suffer from this vulnerability.
If exploited, this vulnerability allows an attacker to target users with a drive-by download, allowing files to be downloaded and run user systems without any user input needed, beyond visiting a website.
Two versions of Windows are not affected by this threat: Windows 8.1 (because it includes IE11), and Windows XP (because it only supports up to IE8.) All other versions of Windows are at potential risk, depending on the version of Internet Explorer present on the system.
This attack was initially spotted on the website of a non-profit organization in the United States. The files used in this exploit are detected as HTML_EXPLOIT.PB, HTML_IFRAME.PB, and SWF_EXPLOIT.PB. The backdoor that was planted on affected machines using this zero-day is detected as BKDR_ZXSHELL.V. No formal bulletin or workarounds have been issued by Microsoft; we recommend that users of Windows 7 or 8 consider upgrading to Internet Explorer 11 to avoid this problem.
We are currently analyzing both the exploit itself and the payloads used in this attack, and will provide further information as appropriate.
Update as of 5:00 PM PST, February 16, 2014:
We have released new Deep Security rules that provide protection against this vulnerability, namely:
- 1005908 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322)
- 1005909 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322) – 2
- 1005911 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322) – 3
Update as of 11:00 PM PST, February 19, 2014:
Microsoft has released an advisory acknowledging this attack and confirming that it is limited to Internet Explorer 9 and 10. A workaround has also been provided in the form of a Microsoft Fix It solution.