Microsoft Acknowledges New Internet Explorer Zero Day Flaw
The vulnerability, uncovered by researcher Eric Romang, could enable remote code execution.
Microsoft recently published a security advisory acknowledging the existence of a new vulnerability in Internet Explorer that could enable remote code execution.
"A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated," the advisory states. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
"All but one supported edition of IE are affected: 2001's IE6, 2006's IE7, 2009's IE8 and last year's IE9," writes Computerworld's Gregg Keizer. "Together, those browsers accounted for 53 percent of all browsers used worldwide in August. The only exception was IE10, the browser bundled with the new Windows 8, which does not contain the bug."
"Eric Romang, a Luxembourg-based IT security advisor at ZATAZ.com, wrote over the weekend that he discovered the exploit when analyzing a batch of files hosted on one of the servers used to host attacks that exploited the Java vulnerability," writes Sophos' Paul Roberts. "After running one of the sample files on a fully patched Windows XP SP3 system with an up-to-date version of Adobe Flash, Romang was surprised to find that the files loaded malicious software to his fully patched XP system."
"Microsoft also said that IE running on Windows Server 2003, 2008 and 2008R2 runs in a restricted mode that mitigates the vulnerability," writes Threatpost's Michael Mimoso. "Outlook, Outlook Express and Windows Mail also open HTML messages in a restricted zone, mitigating the vulnerabilty but should a user click a link in a message, they could still be vulnerable to exploit."