Microsoft hurries to fix IE remote code execution bug

by Mark Tyson on 28 April 2014, 09:56

Tags: Internet Explorer, PC

Quick Link: HEXUS.net/qacdqb

Add to My Vault: x

A 'zero day' flaw was uncovered in Internet Explorer this weekend. Microsoft is rushing to fix the vulnerability but has yet to do more than publish a simple advisory note. This security flaw, allowing remote code execution from a maliciously designed website, affects IE versions 6, 7, 8, 9, 10 and 11. Reuters reports that PC users running Windows XP won't receive any bug fixing updates when they are released. The various versions of IE account for around 55 per cent of the world's web browsers in daily use.

Microsoft describes this widespread Internet Explorer vulnerability as follows:

"The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."

Microsoft Security Response Centre (MSRC)

So far Microsoft has observed only "limited, targeted attacks". This could be to do with how new this vulnerability discovery is and that targeted users have to somehow be directed to the malicious website - via a link in an email or IM chat. It could also be to do with Microsoft's "mitigating factors" which include; IE10 and IE11 Enhanced Protected Mode is the default browsing experience on Modern UI and the EMET (Enhanced Mitigation Experience Toolkit) 4.1 and EMET 5.0 protect against this risk. Also having up to date and enabled firewall, AV and anti-spyware software packages will help to protect Windows/IE users.

Microsoft reminded users that those with Windows accounts configured for fewer user rights could be less impacted by this vulnerability compared to 'Administrators'. Also we are told not to click on suspicious links from hither and thither and avoid opening fishy looking emails. Microsoft also recommended, in a statement to Reuters, that Windows XP users should upgrade to Windows 7 or 8, as they will receive no system updates to address this vulnerability when they become available.



HEXUS Forums :: 8 Comments

Login with Forum Account

Don't have an account? Register today!
“Microsoft also recommended, in a statement to Reuters, that Windows XP users should upgrade to Windows 7 or 8, as they will receive no system updates to address this vulnerability when they become available.”

Who'd have thought… ;)
A big one so soon after Windows XP support ends….ho hum, I think the phrase “Time to upgrade” is going to get used a lot over the coming months.
Why on earth are people still using IE6?
MaddogPepper
Why on earth are people still using IE6?
In this country proprietary, horribly designed government/council applications which won't work on other browsers no doubt. Of course, newer versions will probably be available, but would require spending money.
allow an attacker to execute arbitrary code in the context of the current user

Time to take the plunge and start user accounts that don't have Admin rights for your daily use, people! It's a lot easier than you think, once you get the hang of it.