Microsoft released a critical, out-of-band security update for Internet Explorer (IE) that affects several versions of the Web browser on multiple Windows operating systems.
“The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer,” stated Microsoft in an Aug. 18 security bulletin. “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” the company warned.
Users toiling away with administrator accounts—a common practice among IT pros—are at the most risk. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” said Microsoft.
The critical vulnerability affects IE versions 7, 8, 9, 10 and 11 on Windows clients dating back to Vista. Microsoft classified the bug as a “moderate” threat on Windows Server 2008 and 2012.
Classified as a memory corruption vulnerability (CVE-2015-2502), the flaw affects how IE accesses objects in memory. “This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” stated the bulletin.
Wolfgang Kandek, CTO of network security specialist Qualys, noted that attackers have already pounced on the vulnerability.
“The attack code is hosted on a malicious Web page that you or your users would have to visit in order to get infected. Attackers use a number of mechanisms to increase their target reach and lure users to the Web page,” he said in a note sent to eWEEK.
Tactics can include vastly expanding the pool of potential victims by “hosting the exploit on ad networks, which are then used by entirely legitimate Websites,” said Kandek. Another method involves “gaining control over legitimate Websites, say blogs, by exploiting vulnerabilities in the blogging server software or simply weak credentials.”
Hijacking blogs has become a popular pastime for hackers. Blogs powered by WordPress, in particular, have been the frequent target of hackers online.
In April, the Federal Bureau of Investigation (FBI) warned about the potential danger of Islamic State (ISIS) terrorists exploiting vulnerabilities in the WordPress blogging and content management system software. “Researchers continue to identify WordPress content management system (CMS) plug-in vulnerabilities, which could allow malicious actors to take control of an affected system,” stated the FBI’s advisory.
Infected blogs aside, Kandek warned that attackers can resort to setting up Websites and manipulating search results for the express purpose of infecting unsuspecting users. They may also resort to old-fashioned spam and instant messages.
The IE flaw also adds a new wrinkle in the contentious relationship between Microsoft and Google, at least as it pertains to how Google has handled the disclosure of zero-day flaws affecting Microsoft software. Kandek observed that Microsoft credited “a Google researcher Clement Lecigne with the find, which is interesting since we have seen Google more active in the proactive finding of vulnerabilities.”