Microsoft announced to be aware of a new IE Zero Day vulnerability (CVE-2013-3893) that affects Windows browsers IE 8 and IE 9 recently targeted by hackers.
Microsoft announced to be aware of the presence of a zero-day vulnerability (CVE-2013-3893) in its browser IE. Windows browsers IE 8 and IE 9 are affected by serious zero-day vulnerability recently targeted by hackers during attacks.
Microsoft confirmed that the flaw was unknown before the attacks and for this reason it is working on an official patch to protect its customers’ browser, anyway due the severity of the bug it has released a fix to protect the users. The official advisory issued today describes the IE zero-day vulnerability as a remote code bug that could be exploited by hackers to install malware on the victim’s machine just visiting a malicious link.
“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
We discussed several times on the efficiency of a zero-day vulnerability in the browsers and the possible risks related to its exploitation, victims could be infected despite they adopt all necessary countermeasures due the lack of knowledge on the flaw.
The exploitation of a zero-day flaw is very common for state-sponsored attacks, typically the discovery of such bugs requests a great effort in research and it’s expensive, spear-phishing attacks and watering hole attacks are the most common attack scenarios. A hacker could host a website that serves maliciously exploit for the this zero-day vulnerability, another possibility is the impairment of website usually visited by victims.
In the specific case if the attacker successfully exploited the zero-day vulnerability could gain the same user rights as the current user, due this reason MS confirmed that whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Applying the fix prepared by Microsoft may limit some functionalities of IE, so if user notices problems he can reverse the fix.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.