This new security issue came to light just days after Microsoft delivered an emergency patch to correct several other IE vulnerabilities, including at least one that was used in the recent attacks against more than 30 brand companies.
Jorge Luis Alvarez Medina, a security consultant at Core Security Technologies, is scheduled to give a presentation on Feb. 3 at the Black Hat conference in Washington, D.C., demonstrating how an attacker could leverage four to five flaws in design features of Internet Explorer to read every file on a user's computer. Following the presentation, Medina plans to release proof of concept demonstrating the attack, as well as further details on the flaws.
“Its not a presentation about how to exploit a bug in the browser, but how to take advantage of different, legitimate features of IE to deploy an attack vector,” Medina said. “Those features that are part of this attack are not vulnerabilities in and of themselves, but features that involve minor risk.”While each bug poses a low security risk on its own, they can be combined to launch the attack, Medina said. IE versions 8 and earlier are affected.
“All an attacker needs is for a victim to click on a link and that's it,” Medina said. “An attacker would be able to read every file from a victim's machine.”
Core Security researchers have been working with Microsoft to fix the issues for some time, Medina said.Microsoft is investigating the issue and has not identified any attacks in the wild, Dave Forstrom, group manager, Microsoft's Trustworthy Computing, said in a statement sent to SCMagazineUS.com.
“Once we're done investigating, we will take appropriate action to help protect customers,” Forstrom said. “This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.”
Medina, however, said that some of these minor bugs “will probably never get fixed.” Since the attack leverages flaws that exist in legitimate IE features, Microsoft cannot fix all the problems without impacting existing applications, he said.
“Some of them cannot be fixed as they are needed for different applications to run properly,” Medina said.
Meanwhile, Microsoft recommends users upgrade to IE 8, sign up for Microsoft Update and enable the automatic update functionality to ensure their browser is up to date with the most secure version.
