Internet Explorer users will be a great deal safer from Tuesday onwards, after Microsoft announced a patch for a vulnerability that has been exploited by attackers “for months” according to reports.
The vulnerability has been used in targeted attacks against users in Japan and Taiwan, according to ComputerWorld, and experts feared that less-capable hackers would use the exploit after it was released as a module for the popular penetration-testing tool Metasploit.
The vulnerability affects all versions of Microsoft’s browser, and the patch will be released as part of Microsoft’s standard “Patch Tuesday” package.
On September 21, the Internet Storm Center raised its threat level to yellow in response to reports of attacks which exploited the vulnerability, saying, “The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505. Accordingly, we’re moving the InfoCon up to Yellow.”
“Today we’re providing advance notification for the release of eight bulletins, four Critical and four Important, for October 2013,” said Dustin Childs of Microsoft Trustworthy Computing in a blog post.
“The Critical updates address vulnerabilities in Internet Explorer, .NET Framework and Windows. The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505.”
Earlier this week, the exploit had been released as a module for the popular penetration testing tool Metasploit – sparking fears of a new wave of attacks.
The open-source tool is used to test vulnerabilities, but Lucian Constantin of the IDG News Service suggested that, “An exploit for a vulnerability that affects all versions of Internet Explorer and has yet to be patched by Microsoft has been integrated into the open-source Metasploit penetration testing tool, a move that might spur an increasing number of attacks targeting the flaw.”
The module was posted by Metasploit contributor Wei Chen, who said, “Recently the public has shown a lot of interest in the new Internet Explorer vulnerability (CVE-2013-3893) that has been exploited in the wild, which was initially discovered in Japan. At the time of this writing there is still no patch available, but there is still at least a temporary fix-it that you can apply from Microsoft.”
There have been multiple reports of the exploit being used in the wild, according to a report by PC World. PC World also suggested that while Metasploit is targeted at the researcher community, the release could lead to the exploit code landing in the hands of cybercriminals.
Microsoft has already released an emergency fix for the vulnerability in all versions of Internet Explorer. Microsoft warns that targeted attacks have already attempted to exploit it
In a blog post, Dustin Childs of Microsoft’s Security Response Center said that the risks for users lay in attackers compromising trusted websites – or convincing them to click links in emails or instant messages.
“This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type,” Childs wrote. “This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message.”
Author Rob Waugh, We Live Security