Jump to content
Usr6

Internet Explorer Zero-Day Hits All Versions In Use

By Usr6, in Stiri securitate

Recommended Posts

Usr6 Newbie

Usr6

Posted
Posted

Over the weekend, Microsoft released Security Advisory 2963983 which describes a new zero-day vulnerability found in Internet Explorer. (It has also been assigned the CVE designation CVE-2014-1776.)

This remote code execution vulnerability allows an attacker to run code on a victim system if the user visits a website under the control of the attacker. While attacks are only known against three IE versions (IE 9-11), the underlying flaw exists in all versions of IE in use today (from IE 6 all the way to IE 11).

This vulnerability may linger unpatched in many systems for some time, as it is the first vulnerability affecting Windows XP systems that will not be patched. We had warned before that the risk for using Windows XP would increase over time, and this vulnerability is proof of that. This means that for the millions of users still using this particular operating system, they will be left with a security hole that will never be fully fixed. (Our primer Managing Your Legacy Systems contains best practices for securing Windows XP systems.)

Serious as this vulnerability is, it’s not all bad news. First of all, the vulnerability is only able to run code with the same privileges as the logged-in user. Therefore, if the user’s account does not have administrator rights, the malicious code will not run with them either, partially reducing the risk. (Of course, this is only true if the user’s account isn’t set up as an administrator.)

Secondly, some workarounds have been provided by Microsoft as part of their advisory; of these enabling Enhanced Protected Mode (an IE10 and IE11-only feature) is the easiest to do. In addition, the exploit code requires Adobe Flash to work, so disabling or removing the Flash Player from IE also reduces the risk from this vulnerability as well.

We will continue to monitor this threat and provide new information as necessary.

Sursa: Internet Explorer Zero-Day Hits All Versions In Use | Security Intelligence Blog | Trend Micro

Informatii suplimentare: New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks | FireEye Blog

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...