A recently announced zero-day security flaw in Internet Explorer has become a more frequent attack vector since Metasploit released a module for the vulnerability. The zero-day, which Microsoft announced in a September 17 security advisory, affects certain versions of IE 6, 7, 8, 9, 10 and 11, and it has been exploited in the wild since at least July 1, according to Websense Security Labs. Microsoft announced a temporary fix and is expected to patch the software October 8, but the rapid spread of the exploit offers a warning to organizations that hackers don't wait and that eliminating zero-days is essential for software security.
The zero-day is a remote code execution vulnerability that stems from the way Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated, Microsoft explained. By tricking the user into viewing a malicious website, an attacker could exploit the vulnerability and execute arbitrary code. According to security firm FireEye, at least four advanced persistent threat campaigns using the exploit are underway, with one beginning as early as August 19 and the others appearing more recently.
"The three APT attacks were launched last week, a reflection of how quickly cybercriminals are moving to take advantage of the time before Microsoft issues a patch," CSO Online's Antone Gonsalves noted.
With the introduction of the flaw into a module for Metasploit, Rapid7's popular penetration testing tool, attacks are likely to increase further, according to Network World. The speed with which such threats spread is of growing concern to those in the software security community. In June, Google issued a recommendation that any flaw under active exploit be disclosed and ideally patched within a seven-day window. To deal with the growing speed of hacker responses and mitigate threats, organizations should also attempt to eliminate zero-days during the development process through the use of tools like static analysis software and code reviews.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.