Exploited Internet Explorer flaw won't be patched until next month

Microsoft's legacy browser hit by zero-day strikingly similar to one found in Mozilla's Firefox

Microsoft has warned that millions of people still using the Internet Explorer browser could be at risk from a zero-day flaw that is actively being exploited by hackers.

The flaw, which is in a scripting engine of the browser, makes use of memory corruption to execute code. "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," Microsoft noted in its security guidance. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system."

That could let attackers install programs, access data, or create new accounts, the company noted.

"One way in which the vulnerability could be exploited is via a web-based attack, where users could be lured into visiting a boobytrapped webpage – perhaps via a malicious link in an email," security and industry analyst Graham Cluley noted in a blog post.

Related Resource

Four cybersecurity essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Cluley added that the flaw appeared to be related to a similar vulnerability in Mozilla Firefox spotted earlier this month. The discovery of both flaws was attributed to Qihoo 360, with the security firm tweeting last week as it reported the Firefox flaw that there was also an IE version.

Microsoft said it was aware of "limited targeted attacks" using the vulnerability. Microsoft said it was working on a fix, and suggested it would come with the next Patch Tuesday, which is due out on 11 February.

While users will have to wait for a patch, Microsoft noted that anyone running IE on various versions of Windows Server may be protected by default settings called Enhanced Security Configuration. Microsoft also suggested a workaround for other users, which involves restricting access to JScript.dll, though that will have to be undone when the update is issued.

"Blocking access to this library can prevent exploitation of this and similar vulnerabilities that may be present in this old technology," notes guidance by the CERT coordination centre at Carnegie Mellon. "When Internet Explorer is used to browse the modern web, jscript9.dll is used by default."

The best mitigation is to switch to a modern browser, with Microsoft referring to IE as a "compatibility solution" for older apps rather than a browser to push out widely to staff. However, according to Net Applications' Market Share figures, 7.4% of web users are still on IE — two percentage points more than Microsoft's Edge, which was first released in 2015.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

25 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021