Microsoft announced to be aware of the presence of a zero-day vulnerability (CVE-2013-3893) in its browser IE. Windows browsers IE 8 and IE 9 are affected by serious zero-day vulnerability recently targeted by hackers during attacks.
Microsoft confirmed that the flaw was unknown before the attacks and for this reason it is working on an official patch to protect its customers’ browser, anyway due the severity of the bug it has released a fix to protect the users. The official advisory issued today describes the IE zero-day vulnerability as a remote code bug that could be exploited by hackers to install malware on the victim’s machine just visiting a malicious link.
“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
We discussed several times on the efficiency of a zero-day vulnerability in the browsers and the possible risks related to its exploitation, victims could be infected despite they adopt all necessary countermeasures due the lack of knowledge on the flaw.
The exploitation of a zero-day flaw is very common for state-sponsored attacks, typically the discovery of such bugs requests a great effort in research and it’s expensive, spear-phishing attacks and watering hole attacks are the most common attack scenarios. A hacker could host a website that serves maliciously exploit for the this zero-day vulnerability, another possibility is the impairment of website usually visited by victims.
In the specific case if the attacker successfully exploited the zero-day vulnerability could gain the same user rights as the current user, due this reason MS confirmed that whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Applying the fix prepared by Microsoft may limit some functionalities of IE, so if user notices problems he can reverse the fix.
(Security Affairs – Microsoft, IE, zero-day)
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical…
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
A financially motivated group named GhostR claims the theft of a sensitive database from World-Check…
Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve…
Japan's CERT warns of a vulnerability in the Forminator WordPress plugin that allows unrestricted file uploads…
This website uses cookies.