Microsoft reveals new zero-day vulnerability affecting Internet Explorer

The flaw is possibly being used by a group of hackers to target financial and defense organizations in the U.S.
By Ananth Baliga   |   April 28, 2014 at 9:22 AM
| License Photo

REDMOND, Wash., April 28 (UPI) -- Microsoft confirmed Saturday that a new security vulnerability was affecting all versions of Internet Explorer by allowing "limited, targeted attacks."

Microsoft said it was investigating the security glitch, which allowed for remote code execution, and affected all versions of Internet Explorer -- IE 6 through 11. Currently versions 9, 10 and 11 are being attacked, according to FishEye, the research firm that alerted Microsoft to the vulnerability Friday.

The attacks are taking advantage of "use after free" vulnerability -- a little known vulnerability that allows data corruption after memory has been released.The vulnerability also bypasses both Windows DEP (data execution prevention) and ASLR (address space layout randomization) protections, according to FireEye.

"The APT [advanced persistent threat] group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past," FireEye said. "They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure."

Windows server versions that run on Internet Explorer in the default Enhanced Security Configuration are not vulnerable unless an affected site is placed in the Internet Explorer Trusted sites zone.

Microsoft said it was investigating the vulnerability and would issue an security update to address the problem.

Related UPI Stories
Latest Headlines
Trending Stories
House Majority Leader Kevin McCarthy drops bid for speaker
WikiLeaks offering $50K for video of Afghan hospital bombing
Murdoch sorry for implying Obama's not a 'real black president'
Reid sues exercise companies over eye injury
Lumber Liquidators to pay $10M in DOJ settlement