New zero-day involves IE, puts Windows XP users at risk

Microsoft investigates unpatched flaw that affects users running IE7 and IE8

Microsoft on Sunday confirmed it's investigating an unpatched bug in VBScript that hackers could exploit to plant malware on Windows XP machines running Internet Explorer (IE).

The flaw could be used by attackers to inject malicious code onto victims' PCs, said Maurycy Prodeus, the Polish security analyst with iSEC Security Research who revealed the vulnerability and posted attack code on Friday.

Users running IE7 or the newer IE8 are at risk, said Prodeus.

Microsoft noted it's already on the case. "Microsoft is investigating new public claims of a vulnerability involving the use of VBScript and Windows Help files within Internet Explorer," said Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC), in an e-mail Sunday. *The current state of our investigations shows that Windows Vista, Windows 7 , Windows Server 2008, and Windows Server 2008 R2, are not affected."

Bryant added that Microsoft has not yet seen any evidence of attacks exploiting the vulnerability.

Prodeus called the bug a "logic flaw," and said attackers could exploit it by feeding users malicious code disguised as a Windows help file -- such files have a ".hlp" extension -- then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as "medium" because of the required user interaction.

"First an attacker needs to force a victim to visit a malicious Web page," Prodeus said in an e-mail Sunday. "The victim must be using Windows XP [and] Internet Explorer. A bit of social engineering is required to persuade the victim to push F1 button when [a] VBScript pop-up is displayed."

Another security researcher, Cesar Cerrudo, confirmed that Prodeus' proof-of-concept exploit works. "I tried the exploit and I can confirm it reliably works on IE8 with Windows XP fully patched," said Cerrudo, the head of Argeniss Information Security, an Argentinean security consultancy.

Cerrudo thought that the flaw was more serious than did Prodeus. "I would say the vulnerability is 'high severity,' not 'medium,'" said Cerrudo in an e-mail. "It's not critical since it needs user interaction, the user pressing F1 key when a message dialog is displayed. [But] I would say that there is a high probability a regular user will press F1 key if asked, since an attacker can annoy the user with hundred of messages telling the user to press F1 to continue."

According to Cerrudo, Prodeus' attack is successful because it abuses the VBScript "MsgBox()" function.

"Windows Help files are included in a long list of what we refer to as 'unsafe file types'," acknowledged Microsoft's Bryant in a follow-up on the MSRC blog later on Sunday. "These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system."

Bryant didn't provide a timeline for a fix, but used Microsoft boilerplate in his e-mail to say that the company might address the vulnerability with a regularly-scheduled fix, a so-called "out-of-band" update or other guidance.

Microsoft's next scheduled security release date is March 9.

Although Microsoft has not yet recommended any defensive steps Windows XP users can take until a patch is available, Prodeus said blocking the outbound TCP port 445 would stymie attacks. "However, it is worth to note that blocking this port doesn't solve the problem, because there might be [an]other attacking vector, for example, uploading an arbitrary file to the victim's machine at known path location using some third-party browser plug-ins," he said.

Another workaround, said Cerrudo in a Friday tweet , is to ditch IE for another browser.

Read more about security in Computerworld's Security Knowledge Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Internet Explorerzero day exploit

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?