The Inquirer-Home

Microsoft Internet Explorer hit by zero day exploit

Could allow a hacker to take complete control of an affected system
Mon Apr 28 2014, 10:42
Microsoft Internet Explorer

MICROSOFT HAS ISSUED an emergency security bulletin warning of a vulnerability affecting almost every version of Internet Explorer (IE) that could give hackers complete control of a user's web browser.

Leaving users unpatched, Microsoft issued Security Advisory 2963983 on Saturday regarding a potential vulnerability in Internet Explorer (IE) 6 to 11 reported by Fireeye and still under investigation by the Redmond firm.

"We are working closely with Fireeye to investigate this report of a vulnerability which was found used in very limited targeted attack: the vulnerability is a 'use-after-free' memory corruption and the exploit observed seems to target IE9, IE10 and IE11," Microsoft said on its security blog.

While the vulnerability affects Internet Explorer, the exploit relies on two other components to successfully trigger code execution and in particular it requires the presence of VML and Flash components.

"If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system," warned the company. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Fireeye warned that collectively, in 2013, the vulnerable versions of IE accounted for 26.25 percent of the browser market.

"We believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available," Fireeye said in a post on its blog. "The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP."

Microsoft added that given the details shared by Fireeye, it believes that the exploit isn't able to run successfully when EMET protection is added for Internet Explorer and can also be mitigated by disabling VML in IE, or running IE in the Enhanced Protected Mode configuration and 64-bit process mode, which is only available in IE versions 10 and 11 in the Internet Options settings.

Malwarebytes' director of special projects, Pedro Bustamante, told The INQUIRER that vulnerabilities like this seen in IE will continue to be an increasing threat for users of mainstream internet services.

"The interim risk to people and businesses using IE 6 to 11, until MS pushes out a patch, is worrying. However, there is also an ongoing problem that anyone still using XP will be completely exposed as long as they continue to use the OS, as there will never be a patch," Bustamante said, adding that it can put a significant amount of personal data at risk from highly stealthy attacks, including bank details and other private information.

"Businesses using IE should remain ultra-cautious as they will obviously hold a far greater cache of potentially sensitive information. In large organisations, the default advice of switching to another browser may be difficult to administer," he added. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015