Microsoft Warns Of Zero-Day Flaw In Internet Explorer
Following reports of an unpatched bug in older versions of the Internet Explorer (IE) browser, Microsoft has confirmed that the vulnerability allows hackers to hijack Windows machines.
Fortunately, Internet Explorer 9 and Internet Explorer 10 are not included in the affected browsers version list and, therefore, Window 8 users are safe. The bug, dubbed 'zero-day' flaw, mainly works on Windows machines running Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8.
In a security advisory released on Saturday, Dec. 29, Microsoft confirmed the existence of 'zero-day' vulnerability and recommended users keep their Web browser up to date.
"The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website," Microsoft wrote.
According to The Washington Free Beacon, the vulnerability exploited Windows PCs whose users visited the Web site of Council of Foreign Relations (CFR) - a foreign policy think tank with servers and office in New York. Using the pirated computer system, hackers attacked CFR members and other visitors.
Free Beacon reports that the hack was first detected on Dec. 26 and pointed to Chinese hackers for attacking CFR's Web site. FireEye claims that the CFR Web site hosted the malicious code since Dec. 21. Other security firms believe that the attacks using the IE vulnerability started as early as Dec. 7.
The Web site of CFR was neutralized against the attack on Dec. 28, but security of users on Windows machines running Windows XP, Windows Vista, and Windows 7 remains vulnerable..
In a separate post on Security Research & Defense blog, Microsoft wrote that it is "working around the clock on the full security update" and announced the availability of a 'Shim' to block active attacks against IE 6, IE7, and IE 8 users.