MICROSOFT HAS ISSUED an emergency security bulletin warning of a vulnerability affecting almost every version of Internet Explorer (IE) that could give hackers complete control of a user's web browser.
Leaving users unpatched, Microsoft issued Security Advisory 2963983 on Saturday regarding a potential vulnerability in Internet Explorer (IE) 6 to 11 reported by Fireeye and still under investigation by the Redmond firm.
"We are working closely with Fireeye to investigate this report of a vulnerability which was found used in very limited targeted attack: the vulnerability is a 'use-after-free' memory corruption and the exploit observed seems to target IE9, IE10 and IE11," Microsoft said on its security blog.
While the vulnerability affects Internet Explorer, the exploit relies on two other components to successfully trigger code execution and in particular it requires the presence of VML and Flash components.
"If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system," warned the company. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Fireeye warned that collectively, in 2013, the vulnerable versions of IE accounted for 26.25 percent of the browser market.
"We believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available," Fireeye said in a post on its blog. "The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP."
Microsoft added that given the details shared by Fireeye, it believes that the exploit isn't able to run successfully when EMET protection is added for Internet Explorer and can also be mitigated by disabling VML in IE, or running IE in the Enhanced Protected Mode configuration and 64-bit process mode, which is only available in IE versions 10 and 11 in the Internet Options settings.
Malwarebytes' director of special projects, Pedro Bustamante, told The INQUIRER that vulnerabilities like this seen in IE will continue to be an increasing threat for users of mainstream internet services.
"The interim risk to people and businesses using IE 6 to 11, until MS pushes out a patch, is worrying. However, there is also an ongoing problem that anyone still using XP will be completely exposed as long as they continue to use the OS, as there will never be a patch," Bustamante said, adding that it can put a significant amount of personal data at risk from highly stealthy attacks, including bank details and other private information.
"Businesses using IE should remain ultra-cautious as they will obviously hold a far greater cache of potentially sensitive information. In large organisations, the default advice of switching to another browser may be difficult to administer," he added. µ
Watch this space
Hackers could erect man-in-the-middle attacks
Painted into a corner
What we'd call copying, Cupertino calls 'inspiration'