A new zero day exploit has been discovered for Microsoft’s Internet Explorer (IE) web browser. The vulnerability was discovered by security vendor FireEye over the weekend, and Microsoft has since issued an emergency security bulletin. The problem is understood to affect Internet Explorer 6 through 11, and could allow attackers to gain complete control of a system.
In a separate blog post, Microsoft mentioned that they are working closely with FireEye to investigate the vulnerability and went on to further explain that the vulnerability is a ‘use-after-free’ memory corruption that seems to target Internet Explorer 9 to 11. The exploit, however, requires VML and Flash extensions to be present in a browser to be able to execute the code successfully. The attacker will be able to install programs, make changes to data, or create new accounts with full user rights in the event the exploit happens on a logged on user with administrative rights.
Till a patch is ready, Microsoft has issued a workaround by advising users to add EMET protection, disable VML in the browser, or run it in the Enhanced Protected Mode configuration and 64-bit process mode. Note the last item is only possible on IE 10 and 11.One complication for Windows XP users is the cessation of support by Microsoft since April 8 (Windows XP is only capable of running Internet Explorer 6, 7, and 8). As such, anyone who are still running the discontinued operating system may never get this problem fixed as a patch for it will not be made available.
FireEye warns that the vulnerable versions of IE accounted for 26.25 percent of the browser market based on figures from 2013. Vulnerabilities like this are expected to continue to be an increasing threat for users. The only way to prevent being a victim is to practice Internet safety, stay alert and have a set of preventive measures on-hand at all times.
For now, you may want to check out some mitigation strategies for users looking to switch over here.