A new zero day exploit targeting Microsoft's Internet Explorer Web browser has been discovered that has the potential to be particularly nasty because it affects every IE user. The security flaw impacts IE 6 and newer -- which accounts for about 26 percent of all Web browser use -- and can let hackers run arbitrary code on victim's computers.
Use Internet Explorer? There's a security flaw for that.
Microsoft described the issue in a security alert saying,
The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
In muggle-speak, that means hackers can create websites designed to trick you into thinking you're at a legit site, and then load and launch their own code on your Windows-running computer. That code can do all sorts of things, like launch attacks on other Web servers, log every key you press on your keyboard, download your contacts and other personal information, and more.
This is particularly nasty because so many computers are are risk, and Microsoft doesn't have a fix available yet. There's also evidence that the flaw is being actively exploited by hackers right now.
"Threat actors are actively using this exploit in an ongoing campaign which we have named 'Operation Clandestine Fox.' However, for many reasons, we will not provide campaign details," security research company FireEye said in a blog post. "But we believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available."
Internet Explorer users can help protect themselves from the exploit by disabling Flash on their computer. Hackers are using Adobe's Flash as their access point into victim's computers through a maliciously crafted SWF file that uses Javascript to trigger the exploit.
For Windows users this is a big problem because there isn't a patch available, and for Windows XP users it's even a bigger issue. Microsoft recently stopped supporting Windows XP, but the operating system is still widely used. Unless the company decides to go back and address the flaw there, too, many IE users could be stuck with systems that are open and susceptible to hacker attacks.
For Mac users, the exploit ins't an issue unless they're running IE 6 or newer in a virtual environment like Parallels, or running Windows natively on their computer via Boot Camp. Their Mac files and data will remain safe, but any data that's in their Windows PC drives or containers will be vulnerable to attacks.
Microsoft is looking into the issue, and Adobe hasn't said yet if it's looking into the role Flash is playing.