Web design & marketing tips by Ironpaper

Security warning for all versions of Internet Explorer

Written by Ironpaper | Apr 30, 2014 1:33:44 AM

The US Department of Homeland Security posted a warning of vulnerabilities in Microsoft's Internet Explorer web browser on their US-CERT website. The vulnerabilities could allow an attacker to execute an unauthorized remote code execution  on versions 6-11 of Internet Explorer. The Department of Homeland Security went as far as to urge the public to use an "alternative browser" until the bug is patched. 

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The discovery of this vulnerability (Microsoft Advisory 2963983) is surprising since it affects every active version of Internet Explorer on every version of Microsoft's operation system.

The use-after-free vulnerability would allow for a remote code execution which could be used in phishing schemes or other exploits--including a complete take over of the affected system. An attacker who successfully takes advantage of this vulnerability could inherit the same system rights as the computer user they attack.

An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

The vulnerability was revealed to Microsoft by the cyber security firm FireEye. The vulnerability was announced on Microsoft's advisory service website on April 26, 2014.

SOURCE:

  • Microsoft Security Advisory: 2963983
  • https://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being