Exploited Internet Explorer flaw won't be patched until next month

Microsoft's legacy browser hit by zero-day strikingly similar to one found in Mozilla's Firefox

Microsoft has warned that millions of people still using the Internet Explorer browser could be at risk from a zero-day flaw that is actively being exploited by hackers.

The flaw, which is in a scripting engine of the browser, makes use of memory corruption to execute code. "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," Microsoft noted in its security guidance. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system."

Advertisement - Article continues below

That could let attackers install programs, access data, or create new accounts, the company noted.

"One way in which the vulnerability could be exploited is via a web-based attack, where users could be lured into visiting a boobytrapped webpage – perhaps via a malicious link in an email," security and industry analyst Graham Cluley noted in a blog post.

Related Resource

Four cybersecurity essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Cluley added that the flaw appeared to be related to a similar vulnerability in Mozilla Firefox spotted earlier this month. The discovery of both flaws was attributed to Qihoo 360, with the security firm tweeting last week as it reported the Firefox flaw that there was also an IE version.

Advertisement
Advertisement - Article continues below

Microsoft said it was aware of "limited targeted attacks" using the vulnerability. Microsoft said it was working on a fix, and suggested it would come with the next Patch Tuesday, which is due out on 11 February.

While users will have to wait for a patch, Microsoft noted that anyone running IE on various versions of Windows Server may be protected by default settings called Enhanced Security Configuration. Microsoft also suggested a workaround for other users, which involves restricting access to JScript.dll, though that will have to be undone when the update is issued.

Advertisement - Article continues below

"Blocking access to this library can prevent exploitation of this and similar vulnerabilities that may be present in this old technology," notes guidance by the CERT coordination centre at Carnegie Mellon. "When Internet Explorer is used to browse the modern web, jscript9.dll is used by default."

The best mitigation is to switch to a modern browser, with Microsoft referring to IE as a "compatibility solution" for older apps rather than a browser to push out widely to staff. However, according to Net Applications' Market Share figures, 7.4% of web users are still on IE — two percentage points more than Microsoft's Edge, which was first released in 2015.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020