Internet Explorer Vulnerability Discovered By Attackers

This week, in the monthly edition of Patch Tuesday, Microsoft released a number of patches to fix vulnerabilities in Internet Explorer. Just days later, Microsoft has confirmed that a zero-day exploit is being used in an active attack campaign that targets IE 9 and 10. Brandan Blevins of Search Security reports more details.

The label ‘zero-day’ categorizes attacks that exploit vulnerabilities before a patch can be created. By definition, this is a case where attackers learned of a vulnerability before the developers.

The attack is also categorized as a “watering hole attack”, which means that a specific website is being targeted in order to infect the group that typically visits that site. In this case, the U.S. Veterans of Foreign Wars’ website has its HTML code tampered with in order to load a malicious web page for visitors. When that page loads, malware is downloaded and executed on the user’s machine.

The attack exploits what’s being called the “use-after-free” bug, which allows for one byte of memory to be modified at “an arbitrary address”.

Microsoft has not announced whether a patch will be rushed out to fix the vulnerability or if users will have to wait for March’s Patch Tuesday. In the meantime, there are two options for IE 9 and 10 users.

One is a complicated fix using Microsoft’s Enhanced Mitigation Toolkit Experience.

A simpler fix is to stop using IE 9 and 10 until a patch is released. Either change browsers to Chrome, Firefox or another popular choice, or upgrade Internet Explorer to version 11.

If your computer has already been infected with malware, bring it to Geek Rescue, or call us at 918-369-4335.