Continue reading " />

Zero-Day Exploit in all versions of Internet Explorer

ie10Late on Saturday Microsoft released a warning of a vulnerability in all versions of Internet Explorer (v6 – v11) that is currently being used in attacks on users on the Internet. This vulnerability affects an estimated 625 million users or 26% of all Internet users worldwide.

This vulnerability was first discovered by the research firm FireEye. The attack they noted bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). This specific exploit uses an Adobe Flash SWF file to manipulate the contents of RAM memory. Although Microsoft does not explicitly state it but it would appear that systems without Adobe Flash installed are not vulnerable to the specific exploit, although they are still vulnerable to the underlying vulnerability in Internet Explorer.

Although Microsoft Outlook, Microsoft Outlook Express, and Windows Mail will mitigate this issue when an HTML message is previewed, when opening a  link in an email message the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

Microsoft has not yet issued a fix to resolve this issue. In the meanwhile it is strongly suggested that Internet Explorer users either enable Enhanced Security Configuration or install EMET to mitigate this vulnerability, remove Adobe Flash entirely from the computer, or use an alternative browser until the issue is patched. Popular free web browser alternatives to Microsoft Internet Explorer are Google ChromeMozilla Firefox, and Opera.


Leave a Response

Please note: comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.