14 DAY TRIAL // Security company FireEye Labs has discovered a new zero-day vulnerability in Internet Explorer 9 and 10 that would allow an attacker to install malicious software on an unpatched computer.
According to a security research, the attack is performed with the help of a compromised website whose HTML code is modified to load a malicious webpage created by the attacker in the background.
“The attacker’s HTML/JavaScript page runs a Flash object, which orchestrates the remainder of the exploit. The exploit includes calling back to the IE 10 vulnerability trigger, which is embedded in the JavaScript,” FireEye Labs explained.
At this point, it turns out that Internet Explorer 9 and 10 with Adobe Flash up and running are the only two browsers vulnerable to attacks, with Microsoft confirming that it’s currently investigating reports and is now trying to determine how many users have fallen victims to exploits.
“Microsoft is aware of limited, targeted attacks against Internet Explorer 9 and 10,” a Microsoft spokesperson told TNW. “As our investigation continues, we recommend customers upgrade to Internet Explorer 11 for added protection.”
The easiest way to stay protected until Microsoft comes up with an official patch to address the vulnerability is to update to Internet Explorer 11, as it’s available on Windows 7 computers as an optional download.
“The vulnerability is a previously unknown use-after-free bug in Microsoft Internet Explorer 10. The vulnerability allows the attacker to modify one byte of memory at an arbitrary address,” FireEye Labs explained in a blog post.
“The exploit targets IE 10 with Adobe Flash. It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET). So installing EMET or updating to IE 11 prevents this exploit from functioning