Microsoft IE is under a storm warning.
The Internet Storm Center (ISC) raised its threat level to Yellow, indicating a significant new threat involving a vulnerability to all versions of Internet Explorer. ISC stated that it was seeing increased exploits in the wild based on Microsoft Security Advisory 2887505, so felt it necessary to raise the threat level. According to Computerworld:
Microsoft’s advisory, published Sept. 17, acknowledged that hackers were exploiting Internet Explorer 8 (IE8) and IE9, but added that the vulnerability — which remains unpatched — affected all versions of the browser, from the 12-year-old IE6 to the not-yet-released IE11. Microsoft has not said when it will patch the bug, but it has offered protective steps customers can take in the meantime.
CIO Today explained what the bump in the threat level means:
Threat level “Yellow” at the ISC is two levels below ISC’s Red, the organization’s highest threat level. Yellow means the impact of the threat is either unknown or expected to be minor to the infrastructure Relevant Products/Services. However, local impact could be significant, and users are advised to take actions. Orange signifies a major disruption in connectivity is in progress or imminent. Red means loss of connectivity across a large part of the Internet.
The discovery of the exploit was first reported by FireEye, and labeled Operation DeputyDog. Right now, it is primarily targeting organizations in Japan, but the security experts believe this is just the tip of the iceberg, and that widespread attacks are possible.
Do we need to be concerned? Probably, as we should always be concerned about any vulnerability or zero-day attack possibility. Anyone using IE should apply the Microsoft fix, and if an out-of-band patch is released (a possibility but not a given; Microsoft’s next Patch Tuesday is October 8), apply that immediately, especially if you are using XP or Windows 7 as your operating system. As CIO Today explained:
“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” said Microsoft. “An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site.”