Exploited Internet Explorer flaw won't be patched until next month

Microsoft's legacy browser hit by zero-day strikingly similar to one found in Mozilla's Firefox

Microsoft has warned that millions of people still using the Internet Explorer browser could be at risk from a zero-day flaw that is actively being exploited by hackers.

The flaw, which is in a scripting engine of the browser, makes use of memory corruption to execute code. "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," Microsoft noted in its security guidance. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system."

Advertisement - Article continues below

That could let attackers install programs, access data, or create new accounts, the company noted.

"One way in which the vulnerability could be exploited is via a web-based attack, where users could be lured into visiting a boobytrapped webpage – perhaps via a malicious link in an email," security and industry analyst Graham Cluley noted in a blog post.

Related Resource

Four cybersecurity essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Cluley added that the flaw appeared to be related to a similar vulnerability in Mozilla Firefox spotted earlier this month. The discovery of both flaws was attributed to Qihoo 360, with the security firm tweeting last week as it reported the Firefox flaw that there was also an IE version.

Advertisement
Advertisement - Article continues below

Microsoft said it was aware of "limited targeted attacks" using the vulnerability. Microsoft said it was working on a fix, and suggested it would come with the next Patch Tuesday, which is due out on 11 February.

While users will have to wait for a patch, Microsoft noted that anyone running IE on various versions of Windows Server may be protected by default settings called Enhanced Security Configuration. Microsoft also suggested a workaround for other users, which involves restricting access to JScript.dll, though that will have to be undone when the update is issued.

Advertisement - Article continues below

"Blocking access to this library can prevent exploitation of this and similar vulnerabilities that may be present in this old technology," notes guidance by the CERT coordination centre at Carnegie Mellon. "When Internet Explorer is used to browse the modern web, jscript9.dll is used by default."

The best mitigation is to switch to a modern browser, with Microsoft referring to IE as a "compatibility solution" for older apps rather than a browser to push out widely to staff. However, according to Net Applications' Market Share figures, 7.4% of web users are still on IE — two percentage points more than Microsoft's Edge, which was first released in 2015.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020