Microsoft issues advisory on Internet Explorer vulnerability

Apr 28, 2014 by Nancy Owano weblog
Microsoft is scrambling to repair a security hole in its Internet Explorer web browser, saying it has detected attempts to exploit the flaw

(Phys.org) —Microsoft issued a security advisory on Saturday regarding an issue that impacts the Internet Explorer Web browser. Microsoft said it was aware of limited, targeted attacks seeking to exploit the vulnerability of Internet Explorer versions 6 through 11.

The is being characterized as a "remote code execution vulnerability." This allows remote code execution if users visit a malicious website with an affected browser. This is attack-by-lure, successfully convincing someone to go ahead and click a link in an email or instant message. An attacker can execute arbitrary code. Also, If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Dustin Childs, a group manager within the Trustworthy Computing Group at Microsoft, weighed in on the matter Saturday, saying "We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect customers."

He advised people to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. "Additionally, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders."

As for future intentions, the company said, "On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

This was also a busy weekend for Milpitas, California, based FireEye, the security company where its FireEye Research Labs had identified what it called a new Internet Explorer zero-day exploit used in targeted attacks. "The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11." The April 26 blog by Xiaobo Chen, Dan Caselden and Mike Scott said that "Threat actors are actively using this exploit in an ongoing campaign which we have named 'Operation Clandestine Fox.' However, for many reasons, we will not provide campaign details. But we believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available."

Collectively, last year, the vulnerable versions of IE accounted for 26.25% of the browser market, they wrote. "The vulnerability, however, does appear in IE6 through IE11 though the exploit targets IE9 and higher."

Explore further: Adobe Flash Player updates confront zero-day exploit

More information: www.fireeye.com/blog/uncategor… argeted-attacks.html

technet.microsoft.com/en-us/li… ecurity/2963983.aspx

add to favorites email to friend print save as pdf

Related Stories

Adobe Flash Player updates confront zero-day exploit

Feb 21, 2014

(Phys.org) —An Adobe Flash exploit has targeted three sites. Adobe Systems on Thursday announced knowledge of the exploit and what steps to take. The company assigned the CVE identifier CVE-2014-0502 to ...

Microsoft gets busy on fix for IE watering hole attack

Jan 01, 2013

(Phys.org)—Microsoft has published a security advisory about a vulnerability in Internet Explorer 6, 7, and 8. "We are only aware of a very small number of targeted attacks at this time," a Microsoft team ...

Internet Explorer users are warned against Poison Ivy

Sep 18, 2012

(Phys.org)—More than a few Internet Explorer users stand vulnerable to fresh attacks of Poison Ivy. In the latest headline in the "Internet Explorer has a flaw" saga, a security hole in Internet Explorer ...

Microsoft probing new hole in IE security

Feb 03, 2010

Fresh from patching an Internet Explorer (IE) flaw exploited in cyberattacks on Google and other firms, Microsoft is looking into a newly exposed vulnerability in the browser software.

Recommended for you

CloudFlare tackles lost SSL key risk with Keyless SSL

Sep 19, 2014

Organizations looking for and concerned about optimal security protection are the targets of a new service announced by San Francisco-based CloudFlare. The offering is called Keyless SSL. CloudFlare explained ...

When does Google hand over your data to governments?

Sep 19, 2014

Governments around the world want to know a lot about who we are and what we're doing online and they want communications companies to help them find it. We don't know a lot about when companies hand over ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

Caliban
not rated yet Apr 28, 2014
Thanks, MegaSuck--I feel safer already...
Lex Talonis
not rated yet Apr 30, 2014
Microsoft is like having a nasty disease......

Vomiting, diarrhoea, delirium, hallucinations, incontinence, internal
hemorrhaging, raging fever, cold sweats, gangrene, pustulent boils, etc., etc., etc.,

All at the same time......

The cure?

A shot of LINUX.