Microsoft has issued aabout a in its Internet Explorer browser, which attackers could exploit to gain the same user rights as the current user. This means that if the current user is logged on with administrative user rights, an attacker could take complete control of a targeted system. The attacker could then install programs and view, change or delete data as well as create new accounts with full user rights. Microsoft reported that vulnerability found in Internet Explorer (IE) versions 6 to 11.
Microsoft warned that the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code within IE. The company also said an attacker could host a specially crafted website that is designed to exploit this vulnerability through IE and then convince a user to view the website. This is typically done through sending messages through email or instant messenger that are designed to trick recipients into clicking a link to the malicious website.
“On completion of this investigation, Microsoft will take the appropriate action to protect customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update,”.
Users who are using Windows XP at work or home AND users who have administrator rights of Laptop/Desktop need to be extra careful.
How can you avoid this risk?: Until further notice you should limit use of ANY version of Internet Explorer immediately, in favor of alternative browsers like Mozilla FireFox or Google Chrome.
Avoid non-business web sites. Do not click links in emails or click popups from public web sites.
I will let you know when it is safe again to use IE. If IE is your primary browser please switch to an alternative one.
Please feel free to contact me for any further information.
MORE ON IE VULNERABILITIES
Because an attacker who successfully exploited this vulnerability could gain the same user rights as the current user, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft suggests several steps to limit exposure the vulnerability until a fix is release. These include:
· Deploying the free Enhanced Mitigation Experience Toolkit (EMET) version 4.1
· Setting Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
· Configuring Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
· Modifying the Access Control List on VGX.DLL to be more restrictive
· Enabling Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode
Special Note for XP Users:
Due to the recent end of life announcement for XP and IE 8, there is not expected to be a forthcoming patch for this vulnerability. You are advised to upgrade your operating systems as soon as possible. In the meantime, install Chrome or Firefox, and DO NOT use Internet Explorer or Outlook Express.
Network World - Zero-day attacks can strike anywhere, anytime. Here are five example of recent zero-day exploits: