An exploit for a vulnerability which affects all versions of Microsoft’s Internet Explorer has been released as a module for the popular penetration testing tool Metasploit - sparking fears of a new wave of attacks.
The open-source tool is used to test vulnerabilities, but Lucian Constantin of the IDG News Service said, “An exploit for a vulnerability that affects all versions of Internet Explorer and has yet to be patched by Microsoft has been integrated into the open-source Metasploit penetration testing tool, a move that might spur an increasing number of attacks targeting the flaw.”
While the vulnerability has not been patched, Microsoft has released a temporary fix-it.
The module was posted by Metasploit contributor Wei Chen, who said, “Recently the public has shown a lot of interest in the new Internet Explorer vulnerability (CVE-2013-3893) that has been exploited in the wild, which was initially discovered in Japan. At the time of this writing there is still no patch available, but there is still at least a temporary fix-it that you can apply from Microsoft.”
There have been multiple reports of the exploit being used in the wild, according to a report by PC World. PC World also suggested that while Metasploit is targeted at the researcher community, the release could lead to the exploit code landing in the hands of cybercriminals.
On September 21, the Internet Storm Center raised its threat level to yellow in response to reports of attacks which exploited the vulnerability, saying, “The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505. Accordingly, we're moving the InfoCon up to Yellow.”
Microsoft has already released an emergency fix for the vulnerability in all versions of Internet Explorer. Microsoft warns that targeted attacks have already attempted to exploit it. Microsoft said that it will provide a more permanent solution - although whether this will be via the next "regular" patch on October 8, or earlier, remains to be seen.
In a blog post, Dustin Childs of Microsoft’s Security Response Center said that the risks for users lay in attackers compromising trusted websites - or convincing them to click links in emails or instant messages.
“This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type,” Childs wrote. “This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message.”
Child’s post also offers advice on how to mitigate the threat for users continuing to browse via Internet Explorer.