Skip to comments.New zero day vulnerability identified in all versions of IE
Posted on 04/27/2014 4:26:55 PM PDT by dayglored
A new zero day vulnerability that resides in all versions of Internet Explorer has been spotted in the wild, Microsoft confirmed late Saturday.
The vulnerability, which could allow remote code execution, is being used in "limited, targeted attacks," according to an advisory issued by Microsoft. While all versions of the web browser, IE 6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm Fire Eye, which first reported the flaw Friday.
The attack leverages a previously unknown "use after free" vulnerability -- data corruption that occurs after memory has been released -- and bypasses both Windows DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) protections, according to Fire Eye.
An attack could be triggered by luring visitors to a specially crafted web page, Microsoft explained.
Okay, XP die-hards, you were warned. Here it comes.
"The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft said. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."
Microsoft said it is investigating the vulnerability and may issue an out-of-cycle security update to address the issue.
Fire Eye said the flaw was significant because it affects more than a quarter of the total browser market.
"Collectively, in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market," Fire Eye said in its advisory.
If its an IE problem what does XP have to do with it?
In other words, nothing?
Does XP still receive IE updates however?
I wonder if it’s just static at this point?
The article says MS is looking to do an out of cycle update.
So yes, IE updates are separate from the OS. Remember when they were forced to unbundle them?
The only time I used IE was to get XP updates.
As far as I know, Microsoft discontinued support of old IE versions that run on XP, and does not back-port newer supported versions to XP. Therefore AFAIK there won't be any patches for the IE flaw, for any version that runs on XP.
If somebody can show that Microsoft will produce a patch for a version of IE that runs supported on XP, let me know please.
I’m currently on Ubuntu (I have a copy of 8.1 but am currently still using Ubuntu IRL)
So this is not an actual XP issue then, it is an independent issue with the browser.
This sounds like one more reason to never run your machine as an administrator useless you have a need. Most viruses can’t install with out admin rights.
Best of luck with that. I'll bet you 99 of the 100 say, "WHUT?"
The 1 out of 100 is a corporate SysAdmin who has a Windows Update server.
IE and the OS are in an incestuous relationship. The fix may require both the be patched.
What this IE flaw has to do with XP is: the flaw will get a patch, for the newer, supported versions of IE. It WILL NOT get a patch for the older unsupported versions that run on XP.
AFAIK. If you know different, post a link to the Microsoft article that says it. Please!
Weird that this wasn’t discovered until such time as MS wants to panic its herd into W8.
Which software is more likely to have sloppy memory management?
"...PCs running Windows XP will not receive any updates fixing that bug when they are released..."
If you're a Microsoft XP User, stop using Internet Explorer and switch to Google Chrome, FireFox, Safari or something other than IE.
As this is an EXPLOIT and not a Virus/Malware, the critical point is that the exploit is tied to IE.
For those of you with System Restore turned on make sure you have a System Restore point set, and a good backup of XP including the OS and your data files.
Stopping usage of IE will provide some protection for now but ultimately, XP is going to be breached world-wide and those of you running it will regret not upgrading.
Okay, you're on an XP system, and XP updates are unavailable. Please tell me how you get an update for your unsupported version of IE?
AFAIK, and this is the key: THE FACT THAT YOU'RE RUNNING XP MAKES YOU INELIGIBLE FOR ANY UPDATES, including IE updates.
If you know different, please post a link to the Microsoft page that says so. I'd sure like to have that link to give to my family and friends who are still running XP and will be calling me for help.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.