Proving the adage that criminals love the cat and mouse game that is InfoSec, Microsoft will still need to contend with two Internet Explorer flaws this month, despite the fact that the software giant is releasing several patches this week.
The first unpatched Internet Explorer (IE) flaw is the Zero-Day Microsoft acknowledged early last week. According to Redmond, attacks targeting a TIFF rendering error have been observed in the Middle East and South Asia. In their advisory, Microsoft said that exploitation of the flaw can lead to code execution and remote access.
Microsoft Office 2003 and 2007 are affected by the TIFF issue directly. However, Office 2010 is impacted too, but only if it's running on Windows XP or Server 2003. Other vulnerable platforms include Windows Vista SP 2, Server 2008, and Microsoft Lync. In order to address the issue, Microsoft released a FixIt tool, which disables TIFF rendering. The full advisory from Microsoft is available here.
According to Microsoft's Dustin Childs, a patch for the TIFF flaw wasn't available in time for this month's security updates, so administrators are advised to deploy the FixIt tool, or to use the EMET tool's mitigations. The urgency to use those mitigations is stressed by researchers at FireEye, who have discovered the TIFF flaw being used in two separate sets of attacks, by two different groups, including one that is spreading the Citadel Trojan.
So until a patch is released, Microsoft's proposed mitigations are the only fix available to organizations that cannot move away from IE. Otherwise, other layered defenses (e.g., IDS/IPS, anti-Virus, reputation filtering, etc.) are it.
Finally, making matters worse, FireEye discovered a completely new Zero-Day targeting IE on Friday, and this flaw is already being used in watering hole attacks.
It’s a brand-new IE 0-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution.
Microsoft, as of Saturday evening, hasn't acknowledged this newest Zero-Day targeting their browser, but FireEye says that they're working with them to find a resolution.
The information leakage flaw targets IE 8 on Windows XP and IE 9 on Windows 7. The memory access flaw targets IE 7 and 8 on Windows XP and Windows 7; but FireEye expects that with some tweaking, criminals can make it run on IE 7, 8, 9, and 10.