Skip Links

Microsoft warns of IE zero day in the wild, all IE versions vulnerable

Microsoft issued a security advisory and a 'Fix it' for a zero-day exploit targeting Internet Explorer.

By Ms. Smith on Wed, 09/18/13 - 11:07am.

Microsoft is warning of a zero-day exploit targeting Internet Explorer. On Tuesday, the company posted a security advisory stating "Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9."Microsoft issues Fix It workaround for new zero day targeting all versions of IE

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet ZERO-DAY ATTACKS: Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

 

[ZERO-DAY ATTACKS: How to Fight Back]

According to Security Advisory 2887505:

In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

"All supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone," but "if a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario."

From the bad to the ugly Microsoft category

Last week, four of the 13 Microsoft-issued updates were yanked for causing nasty retargeting loop headaches for