Major Internet Explorer Security Flaw Discovered

Dennis Faas's picture

A newly-discovered flaw in Microsoft's popular Internet Explorer (IE) web browser could allow hackers to take control of a Windows-based computer. The Redmond, Washington-based firm has acknowledged that the problem exists and that it affects older versions of IE.

The firm has also released a temporary fix for the problem.

Microsoft Advises: Avoid Suspicious Links

"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8," Microsoft said in a security advisory issued on Sunday, December 30, 2012.

Microsoft says the remote code execution flaw exploits the way its popular browser accesses a computer's memory. The vulnerability could reportedly allow a hacker to take control of a victim's computer system if the user browses to a malicious website.

"In a web-based attack scenario, an attacker could host a website ... that is used to exploit this vulnerability," Microsoft said in the security advisory. (Source: cnet.com)

"In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website."

This is a distinction without a difference, however, because most security exploits depend on a computer somehow connecting to a source of malicious software.

It appears, in fact, that this vulnerability has already been exploited. According to reports, the flaw was recently used to attack Windows users who visited the Council on Foreign Relations website. That's a non-partisan U.S. foreign policy think tank.

Reports also indicate the Council on Foreign Relations site had been infected with malicious code since December 21, 2012.

"We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability," noted security expert Darien Kindlund.

Flaw Affects Only Older Versions of IE

Microsoft insists this particular IE flaw affects only Internet Explorer 8 and older versions of its browser. The company says users of Internet Explorer 9 and 10 need not worry about this issue.

Microsoft has recently issued a temporary workaround for the problem in lieu of a full-fledged patch. If you use an older version of Internet Explorer, click here to visit Microsoft.com and learn more about the fix and how to obtain it. (Source: venturebeat.com)

Rate this article: 
No votes yet