Internet Explorer exploit makes 26% of the world’s browsers vulnerable

Written by

Sounds to me like this is a very large exploit (impacts IE version 6 through 11) that is currently active, being used in attacks. If you use Windows, the quickest fix is to switch to another browser, at least until a patch is made available.

The zero-day code-execution hole in IE versions 6 through 11 represents a significant threat to the Internet security because there is currently no fix for the underlying bug, which affects an estimated 26 percent of the total browser market. It’s also the first significant vulnerability to target Windows XP users since Microsoft withdrew support for that aging OS earlier this month. Users who have the option of using an alternate browser should avoid all use of IE for the time being. Those who remain dependent on the Microsoft browser should immediately install EMET, Microsoft’s freely available toolkit that greatly extends the security of Windows systems.

The vulnerability is formally indexed as CVE-2014-1776. Microsoft has blog posts here, here, and here that lay out bare bones details uncovered at this early stage in its investigation. Although there is no exploited vulnerability in Adobe Flash, disabling the browser add-on will also neutralize attacks, analysts at security firm FireEye Research Labs wrote in a separate blog post published Sunday. Disabling vector markup language support in IE also mitigates attacks.

From Microsoft’s security advisory:

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

This is the cost of a widely splintered user base. To fix this, Microsoft has to patch all versions of IE. And what will this mean for Windows XP users? Microsoft has ended support for Windows XP. Will those users remain vulnerable unless they switch?

Microsoft is in a tough position here. Short term, I’d switch browsers or follow the instructions in this blog post, which might solve the problem for some.