Windows XP users at risk with new IE exploit

Researchers have revealed the first Windows XP exploit under active attack that will remain exposed after Microsoft ended security patching for the platform.

The remote code execution vulnerability (CVE-2014-1776) affects Internet Explorer 6 to the latest version 11 on Windows XP, Vista and 7.

The vulnerable versions of Internet Explorer represent a quarter of all browsers in use, according to NetMarket Share statistics, however attacks are only currently targeting browser versions 9 and above.

Researchers at security firm FireEye said the sophisticated attackers were targeting US businesses with drive-by attacks contained within malicious web sites.

"The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR (Address Space Layout Randomisation) and DEP (Data Execution Prevention) protections," researchers Xiaobo Chen, Dan Caselden and Mike Scott wrote in a post.

"They [attackers] are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure."

Microsoft alerted users to the phishing attacks and said it was investigating the hack.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user," the company wrote in a security advisory.

"... an attacker would have to convince users to visit the [compromised or malicious] website, typically by getting them to click a link in an email message or instant messenger message that takes users to the attacker's website."

It said the vulnerability exists in the way Internet Explorer accesses an object in memory that has been deleted or not properly allocated.

"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."

The situation could worsen for Windows XP users after Microsoft releases a patch, as it will provide attackers with an opportunity to determine unreleased specific information about the flaw.

Windows users running Microsoft's Enhanced Mitigation Toolkit above version 3 may be safe from the attack, along with those with limited account rights and higher security configurations for Outlook.

Users could also disable Flash in their browsers to mitigate the attack.

The attack was mitigated against Internet Explorer installations on Server 2003, 2008 and 2012 which ran the default Enhanced Security Configuration.