New Microsoft IE zero-day vulnerability in the wild

Microsoft announced to be aware of a new IE Zero Day vulnerability (CVE-2013-3893) that affects Windows browsers IE 8 and IE 9 recently targeted by hackers.

Microsoft announced to be aware of the presence of a zero-day vulnerability (CVE-2013-3893) in its browser IE. Windows browsers IE 8 and IE 9 are affected by serious zero-day vulnerability recently targeted by hackers during attacks.

Microsoft confirmed that the flaw was unknown before the attacks and for this reason it is working on an official patch to protect its customers’ browser, anyway due the severity of the bug it has released a fix to protect the users. The official advisory issued today describes the IE zero-day vulnerability  as a  remote code bug that could be exploited by hackers to install malware on the victim’s machine just visiting a malicious link.

“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

We discussed several times on the efficiency of a zero-day vulnerability in the browsers and the possible risks related to its exploitation, victims could be infected despite they adopt all necessary countermeasures due the lack of knowledge on the flaw.

The exploitation of a zero-day flaw is very common for state-sponsored attacks, typically the discovery of such bugs requests a great effort in research and it’s expensive,  spear-phishing attacks and watering hole attacks are the most common attack scenarios. A hacker could host a website that serves maliciously exploit  for the this zero-day vulnerability, another possibility is the impairment of website usually visited by victims.

In the specific case if the attacker successfully exploited the zero-day vulnerability could gain the same user rights as the current user, due this reason MS confirmed that whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Applying the fix prepared by Microsoft may limit some functionalities of IE, so if user notices problems he can reverse the  fix.

Pierluigi Paganini

(Security Affairs –  Microsoft, IE, zero-day)