New Zero-Day Vulnerability affects all versions of Internet Explorer Browser
Microsoft confirmed a new Zero Day critical vulnerability in its browser Internet Explorer. Flaw affects all versions of Internet Explorer, starting with IE version 6 and including IE version 11.
In a Security Advisory (2963983) released yesterday, Microsoft acknowledges a zero-day Internet Explorer vulnerability (CVE-2014-1776) is being used in targeted attacks by APT groups, but the currently active attack campaigns are targeting IE9, IE10 and IE11.
INTERNET EXPLORER 0-DAY VULNERABILITY (CVE-2014-1776)
According to Advisory, Internet Explorer is vulnerable to Remote Code Execution, which resides 'in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.' Microsoft said.
Microsoft Investigation team is currently working with FireEye Security experts, and dubbed the ongoing targeted campaign as "Operation Clandestine Fox".
In a blogpost, FireEye explained that an attacker could trigger the zero-day IE exploit through a malicious webpage that the targeted user has to access with one of the affected Internet Explorer browser. Successful exploitation of this vulnerability allows an attacker to execute arbitrary code within the browser in order to gain the same user rights as the current user.
CULPRIT: ADOBE FLASH PLUGIN
According to the advisory, there is currently no security patch available for this vulnerability. "Collectively, in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market." FireEye said.
MITIGATION - HOW TO PROTECT YOUR COMPUTER FROM ZERO-DAY IE EXPLOIT?
Microsoft is working on a security patch for Internet Explorer vulnerability, could be available from the Next Patch Tuesday update (13th May, 2014). However, you can still migrate the zero-day threat by following below given methods: