Microsoft warns of Internet Explorer flaw that could give hackers 'complete control' - Fresh Internet Explorer Zero-Day Used In Targeted Attacks
An unpatched, previously-unknown Internet Explorer vulnerability has been exploited in targeted attacks, Microsoft has warned.
The groups behind the attacks have exploited browser zero-day flaws in the past, according to security firm FireEye. They used the Internet Explorer “use-after-free vulnerability”, which took advantage of problems when memory was freed to allow for external execution of code, alongside an Adobe Flash exploit to bypass Windows protections.
Clandestine Fox bites Internet Explorer
“They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure,” FireEye warned in a blog post on the attacks it named “Operation Clandestine Fox”.
All versions of Internet Explorer, from 6 to 11, are affected and administrators have been urged to take action. Microsoft said Enhanced Protected Mode, on by default in Internet Explorer 10 and Internet Explorer 11, as well as Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0 Technical Preview should help mitigate the threat.
“We also encourage you to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software,” Microsoft said in a blog post.
“Additionally, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders.”
Experts are concerned about Windows XP users, given the recent end of support for the operating system. Once Microsoft does push out a patch, it won't cover those XP users who haven't acquired some kind of extended support.
“Don't say you weren't warned. Microsoft told the world it would stop releasing XP security updates a full seven years ago,” said security blogger Graham Cluley.
“Alternatively, you could consider using an alternative web browser like Chrome, Firefox, Opera, etc… That's not to say that these Internet Explorer competitors don't, from time to time, have security issues of their own, of course, but while you're waiting for a proper fix from Microsoft it might be a course of action worth considering.”
It was only in February that Microsoft warned of another zero-day user-after-free vulnerability in Internet Explorer.
--
Microsoft has warned users of security flaw in the company's Internet Explorer browser that could allow hackers to take “complete control” of a user's computer.
The glitch affects versions 6 to 11 of Internet Explorer, which collectively account for more than 50 per cent of global web traffic.
The company has issued a security advisory regarding the flaw and says that it is currently exploring ways to fix the vulnerability.
“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,” wrote the company.
The flaw is particularly hazardous on computers running the recently-discontinued Windows XP operating system. Microsoft ended security support for the 12-year-old software in April, warning users that the lack of updates would put computers running XP at severe risk to hackers and viruses.
Read more: Your guide to surviving the end of XP and upgrading to pastures new
Regarding the newly discovered flaw Microsoft said that it is aware of “limited, targeted attacks” that had taken place, adding that hackers could use a “specially crafted website” to assume control of the user's computer.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system," warned the company.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
The company avoided offering any detail regarding the nature of the flaw, saying only that it existed in "the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated."
It isn't clear whether Microsoft will issue a fix for the flaw for Windows XP users or just for individuals running the more recent Vista, 7 and 8 operating systems.
Source : Techweekeurope, The independent
Microsoft warns of Internet Explorer flaw that could give hackers 'complete control' - Fresh Internet Explorer Zero-Day Used In Targeted Attacks
Click here for more : 👍