Patch/Configuration Management, Vulnerability Management

Microsoft IE zero-day exploited in wild, could provide unrestricted operating system access

Security researchers said the fix for the remote execution flaw found in Microsoft Internet Explorer should top the patching list for security pros following Patch Tuesday yesterday.

“Internet Explorer is being exploited in the wild, so this should be top of the list to patch,” said Kevin Breen, director of cyber threat research at Immersive Labs. “There’s a social engineering element at play here, as an attacker would have to trick a user into visiting a site they control using, for example, a spear phishing or malvertising campaign.”

This kind of exploit would give the attacker the same operating system permissions as the user visiting the website, Breen added. That means if someone browses the internet as a standard user, the attacker will get user-level access to that person's file system and limited access to the operating system.

“And if you are browsing the internet as an admin, the attackers will get full, unrestricted access to your file system and the operating system,” Breen said. “This is why least privilege accounts and not browsing the internet as an admin are so vital to staying secure.”

Jay Goodman, manager of product marketing at Automox, added that the memory corruption vulnerability affects Internet Explorer 11 and 9, and Edge browsers. Goodman said an attack can target the vulnerability with a malicious website designed to exploit the vulnerability through Internet Explorer. Users who view the malicious website could let attackers execute code on the system.

Although Edge and IE 11 and 9 are far from the most common browsers in use today, they are still present on nearly 75 percent of laptops and desktops.

"It’s critically important that IT teams quickly and efficiently patch this vulnerability," Goodman said. "Latent vulnerabilities left unpatched are one of the leading contributors to attackers being able to gain access and move laterally within a network.”

Researchers at ENKI tied the flaw, CVE-2021-26411, to a vulnerability that was publicly disclosed in early February, claiming it was one of the vulnerabilities used in a concerted campaign by nation-state actors to target security researchers, said Satnam Narang, staff research engineer at Tenable.

“In the ENKI blog post, the researchers say they will publish proof-of-concept (PoC) details after the bug has been patched,” Narang said. “As we’ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits. We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge to apply these patches as soon as possible.”

Overall, Microsoft addressed 89 new vulnerabilities on Patch Tuesday in March, a 60 percent increase from February. Of this total, 14 are rated as “critical,” with five being actively exploited in the wild, four of which are specific to Microsoft Exchange Server.

The critical security updates for Microsoft Exchange Server were released out of band last week because of the urgent nature of the vulnerabilities. Microsoft attributed the weaponization of these vulnerabilities to Hafnium, a Chinese state-sponsored hacking group.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.