A recently exposed security flaw affecting the web browser used by approximately 58% of the world, Microsoft Internet Explorer, has left a substantial amount of the world’s web browsers vulnerable to attack. Microsoft has confirmed Saturday that it was aware of “limited, targeted attacks” that attempt to exploit the remote code execution vulnerability that resides on Internet Explorer versions 6 through 11.
According to the advisory issued by Microsoft, an attacker could access “an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
FireEye, the cybersecurity firm that has taken credit for identifying this zero-day vulnerability, said hackers were exploiting the bug in a campaign nicknamed “Operation Clandestine Fox. The flaw is significant since the vulnerability represents a significant portion of the total browser market.
Microsoft will likely launch a security patch soon to take care of the issue but currently there are no patches available for this flaw. Since Microsoft Windows XP end of life was earlier this month, users still relying on Windows XP will be leaving their machines vulnerable for attack, because Microsoft has stopped supporting the older operating system with security patches and other software updates.
One way to be pro-active in strengthening security until the patch is released is to use a different browser such as Chrome, Safari or Firefox. If using another browser is not an option, Security firm FireEye suggests disabling the Adobe Flash plugin because the attacks won’t work without it. FireEye also suggests running Internet Explorer in enhanced protection mode, which is only available for Internet Explorer versions 10 and 11. Regardless of what you do, it’s a good idea to take some action to make sure you’re safe from this exploit.
References:
https://technet.microsoft.com/library/security/2963983
http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild
http://www.cnet.com/news/new-zero-day-vulnerability-identified-in-all-versions-of-ie/