New Zero Day IE vulnerability

Taffycat

Crunchy Cat
Joined
Jun 1, 2006
Messages
12,830
Reaction score
1,067
Watch out folks.

A new zero-day vulnerability has been found in all versions of Internet Explorer, and is being actively exploited in targeted attacks according to security firm FireEye.


The attack has been dubbed “Clandestine Fox” by FireEye, who say that every single version of Internet Explorer – from version IE 6 to 11 – is blighted by the flaw, which has not yet been patched by Microsoft.


It certainly is worrying news for users of Internet Explorer, which is said to have 26.25% share of the browser market.


The exploit seen by FireEye has reportedly targeted users of Internet Explorer 9 and higher, although clearly there are concerns that the remote code execution vulnerability could be weaponised in the other vulnerable versions of IE too.
Microsoft has issued a security advisory regarding the flaw, which it calls CVE-2014-1776:
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
In other words, you as a user don’t have to do anything odd to get your Windows computer infected by malware spread via this exploit. All you need to do is visit a website that has been poisoned by the hackers using a version of Internet Explorer.
What you won’t find any mention of in Microsoft’s warning, notably, is Windows XP. That’s not because it’s immune to attack. It’s because, Microsoft released its last ever security patches for Windows XP on April 8 2014.


As such, this is worth saying out loud (or at least in bold): If you are still running Windows XP you will never receive a patch for this zero-day vulnerability.

Don’t say you weren’t warned. Microsoft told the world it would stop releasing XP security updates a full seven years ago.


For now, Microsoft is recommending that Internet Explorer users install its free Enhanced Mitigation Experience Toolkit (EMET) to harden security of Windows systems.



Alternatively, you could consider using an alternative web browser like Chrome, Firefox, Opera, etc… That’s not to say that these Internet Explorer competitors don’t, from time to time, have security issues of their own, of course, but while you’re waiting for a proper fix from Microsoft it might be a course of action worth considering.
Source and full article: grahamcluley.com
 
Back
Top