Microsoft Warns Of Zero-Day Vulnerability In Internet Explorer

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/vulnerabilities---threats/microsoft-warns-of-zero-day-vulnerability-in-internet-explorer/d/d-id/1234907

By Tim Wilson
Dark Reading
4/28/2014

Microsoft has discovered a zero-day vulnerability in most versions of 
Internet Explorer that already has enabled some attackers to execute code 
remotely on victim PCs, even without action by the end user. In a security 
advisory issued over the weekend, Microsoft reported that it "is aware of 
limited, targeted attacks that attempt to exploit a vulnerability" in IE 
6, 7, 8, 9, 10, and 11. The vulnerability, which takes advantage of the 
way IE accesses an object in memory that has been deleted or has not been 
properly allocated, makes it possible for attackers to do remote code 
execution on a targeted machine, the advisory says.

"An attacker could host a specially crafted website that is designed to 
exploit this vulnerability through Internet Explorer and then convince a 
user to view the website," Microsoft says. "An attacker who successfully 
exploited this vulnerability could gain the same user rights as the 
current user."

Remote code execution means that attackers could distribute malware via a 
drive-by installation, "where simply looking at booby-trapped content such 
as a Web page or image file can trick IE into launching executable code 
sent from outside your network," notes Paul Ducklin, a researcher at 
security firm Sophos, in a blog posted Sunday. "There won't be any obvious 
warning signs, or 'Danger, Will Robinson' dialog boxes."

Using such an exploit, "a crook may be able to sneak malware onto your 
computer even if you don't take any obvious risks such as opening a 
suspicious attachment or agreeing to download a dubious-sounding file," he 
observes.

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/