Internet Explorer users warned of zero-day exploit used in targeted attacks

Graham Cluley
Graham Cluley
@[email protected]

Internet Explorer security hole Microsoft has issued a warning about a critical zero-day vulnerability in versions of Internet Explorer, that is being exploited in “limited, targeted attacks”.

The Seattle-based software giant said in an advisory that only Internet Explorer 9 and Internet Explorer 10 are affected by the remote code execution vulnerability, and that it is working on a proper patch to defend users.

Microsoft published few details of the vulnerability, but there’s no doubt regarding how it could be exploited by determined attackers:

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Sign up to our free newsletter.
Security news, advice, and tips.

The risk is, of course, that computer users might have their computers infected by malware before the patch is made available – perhaps by tricking victims into visiting a boobytrapped website.

It’s becoming more and more common for hackers to target legitimate websites, injecting code into them which runs malicious code on third-party sites that exploits unpatched vulnerabilities in the visiting computers.

This opens the possibility for hackers to target websites which they know are visited by people of interest to them – see, for instance, the just discovered Adobe Flash zero-day flaw which was found being exploited via websites dealing with foreign policy and national security.

Microsoft doesn’t have an official fix for the newly-discovered Internet Explorer vulnerability yet, but has produced a Fix It tool that can be used as a workaround to reduce the risk.

Of course, you should still keep your eyes open for when the official patches from Microsoft become available – and roll them out across your computers as soon as possible.

If you don’t, you run the risk of malicious hackers turning their attention to your network next.

For more details of the vulnerability, and mitigating factors, read Microsoft’s security advisory.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Internet Explorer users warned of zero-day exploit used in targeted attacks”

  1. For English-language users, <a href=""><b>EMET</b></a> would seem the best approach for this and many other vulnerabilities, n'est ce-pas?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.