On April 26, 2014, Microsoft has officially confirmed a new zero-day vulnerability that affects all versions of its popular Internet Explorer browser. There is currently no fix as Microsoft is investigating and creating a patch. We recommend switching to another browser to prevent any attacks.
How does it work?
FireEye Research labs identified the vulnerability and determined it bypasses both Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) techniques. The attack exploits something called a ‘use after free’ attack and seems to originate in Flash operations. Microsoft explains it as:
“The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.“
In plain speak it means that an attacker can force a computer to run software after successfully infiltrating it.
Who is at risk?
It is limited to only the Internet Explorer web browser, however it affects all versions 6 through 11. This leaves half of the world’s browser market in potential danger.
How widespread is it?
Microsoft says they have seen only “limited attacks” exploiting the vulnerability so far. They also say attacks occur normally when a someone has been convinced to click on a link. They are currently investigating and will likely release a security patch to take care of the issue. Windows XP users, however, will not be getting a patch as Microsoft officially ended support for the operating system on April 8, 2014.
How do I fix it?
For those who use the Internet Explorer browser there is no current fix as Microsoft has yet to release a patch. You can, however simply switch to other browsers such as Chrome, or FireFox, or even Opera to prevent any attacks.
In the next guide we’ll cover How to FTP with Internet Explorer 7/8.