Exploited Internet Explorer flaw won't be patched until next month

Microsoft's legacy browser hit by zero-day strikingly similar to one found in Mozilla's Firefox

Microsoft has warned that millions of people still using the Internet Explorer browser could be at risk from a zero-day flaw that is actively being exploited by hackers.

The flaw, which is in a scripting engine of the browser, makes use of memory corruption to execute code. "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," Microsoft noted in its security guidance. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system."

That could let attackers install programs, access data, or create new accounts, the company noted.

"One way in which the vulnerability could be exploited is via a web-based attack, where users could be lured into visiting a boobytrapped webpage – perhaps via a malicious link in an email," security and industry analyst Graham Cluley noted in a blog post.

Related Resource

Four cybersecurity essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Cluley added that the flaw appeared to be related to a similar vulnerability in Mozilla Firefox spotted earlier this month. The discovery of both flaws was attributed to Qihoo 360, with the security firm tweeting last week as it reported the Firefox flaw that there was also an IE version.

Microsoft said it was aware of "limited targeted attacks" using the vulnerability. Microsoft said it was working on a fix, and suggested it would come with the next Patch Tuesday, which is due out on 11 February.

While users will have to wait for a patch, Microsoft noted that anyone running IE on various versions of Windows Server may be protected by default settings called Enhanced Security Configuration. Microsoft also suggested a workaround for other users, which involves restricting access to JScript.dll, though that will have to be undone when the update is issued.

"Blocking access to this library can prevent exploitation of this and similar vulnerabilities that may be present in this old technology," notes guidance by the CERT coordination centre at Carnegie Mellon. "When Internet Explorer is used to browse the modern web, jscript9.dll is used by default."

The best mitigation is to switch to a modern browser, with Microsoft referring to IE as a "compatibility solution" for older apps rather than a browser to push out widely to staff. However, according to Net Applications' Market Share figures, 7.4% of web users are still on IE — two percentage points more than Microsoft's Edge, which was first released in 2015.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Roadmap 2021: What’s coming from 3CX
Advertisement Feature

Roadmap 2021: What’s coming from 3CX

30 Mar 2021