Microsoft Internet Explorer users beware - Vulnerability in IE

Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: April 26, 2014
Version: 1.0

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.
Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
Recommendation. Please see the Suggested Actions section of this advisory for more information.

Affected Software

Internet Explorer 6
Windows Server 2003 Service Pack 2
Internet Explorer 6
Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 6
Windows Server 2003 with SP2 for Itanium-based Systems
Internet Explorer 6
Internet Explorer 7
Windows Server 2003 Service Pack 2
Internet Explorer 7
Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7
Windows Server 2003 with SP2 for Itanium-based Systems
Internet Explorer 7
Windows Vista Service Pack 2
Internet Explorer 7
Windows Vista x64 Edition Service Pack 2
Internet Explorer 7
Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 7
Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 7
Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 7
Internet Explorer 8
Windows Server 2003 Service Pack 2
Internet Explorer 8
Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 8
Windows Vista Service Pack 2
Internet Explorer 8
Windows Vista x64 Edition Service Pack 2
Internet Explorer 8
Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 8
Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8
Windows 7 for 32-bit Systems Service Pack 1
Internet Explorer 8
Windows 7 for x64-based Systems Service Pack 1
Internet Explorer 8
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Internet Explorer 8
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Internet Explorer 8
Internet Explorer 9
Windows Vista Service Pack 2
Internet Explorer 9
Windows Vista x64 Edition Service Pack 2
Internet Explorer 9
Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 9
Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 9
Windows 7 for 32-bit Systems Service Pack 1
Internet Explorer 9
Windows 7 for x64-based Systems Service Pack 1
Internet Explorer 9
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Internet Explorer 9
Internet Explorer 10
Windows 7 for 32-bit Systems Service Pack 1
Internet Explorer 10
Windows 7 for x64-based Systems Service Pack 1
Internet Explorer 10
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Internet Explorer 10
Windows 8 for 32-bit Systems
Internet Explorer 10
Windows 8 for x64-based Systems
Internet Explorer 10
Windows Server 2012
Internet Explorer 10
Windows RT
Internet Explorer 10
Internet Explorer 11
Windows 7 for 32-bit Systems Service Pack 1
Internet Explorer 11
Windows 7 for x64-based Systems Service Pack 1
Internet Explorer 11
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Internet Explorer 11
Windows 8.1 for 32-bit Systems
Internet Explorer 11
Windows 8.1 for x64-based Systems
Internet Explorer 11
Windows Server 2012 R2
Internet Explorer 11
Windows RT 8.1
Internet Explorer 11

Read more…

https://technet.microsoft.com/en-us/library/security/2963983.aspx

Re: Microsoft Internet Explorer users beware - Vulnerability in IE

I would recommend use another browser till MS fixes this.....

Re: Microsoft Internet Explorer users beware - Vulnerability in IE

I would recommend using another browser even after M$ fixes it. Use IE only when you don't have a choice.

Re: Microsoft Internet Explorer users beware - Vulnerability in IE

My IE doesn't even work:/

Re: Microsoft Internet Explorer users beware - Vulnerability in IE

Agree. IE has always been vulnerable.

Re: Microsoft Internet Explorer users beware - Vulnerability in IE

Here you go!

The U.S. Department of Homeland Security recommends not using Internet Explorer as your web browser because it is currently vulnerable to hackers.

Microsoft confirmed over the weekend that the security flaw affects the Internet Explorer Web browser versions 6 through 11, but the attack is targeting 9 through 11.

FireEye Research Labs, an Internet security software company based in Milpitas, California, immediately alerted Microsoft when they first discovered the security breach. “We are currently unaware of a practical solution to this problem,” said the engineers in a post Monday morning.

The glitch allows hackers to exploit flaws and attack a computers memory using Adobe Flash. Therefore, FireEye noted, “The attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.”

The hackers exploiting the bug are calling their campaign “Operational Clandestine Fox.”

“It’s a campaign of targeted attacks seemingly against U.S.-based firms, currently tied to defense and financial sectors,” said FireEye spokesman Vitor De Souza on Sunday. “It’s unclear what the motives of this attack group are, at this point. It appears to be broad-spectrum Intel gathering.”

The United States Computer Emergency Readiness Team released this statement on Monday, April 28th:

“US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could allow unauthorized remote code execution.

US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft’s recommendations, such as Windows XP users, may consider employing an alternate browser.

For more details, please see VU#222929.”

According to the technology research firm NetMarketShare, about 55% of PC computer run one these versions of Internet Explorer, and about 25% run either IE9 or IE10.

The best course of action is to disable your Adobe Flash and use alternate web browsers, such as Google Chrome or Mozilla FireFox, until an official update is available.

For more suggested solutions, visit Microsoft Security Advisory 2963983.

Homeland Security: Dont Use Internet Explorer

I use IE to download chrome that's it.

Re: Microsoft Internet Explorer users beware - Vulnerability in IE

Don't even do that. I would download Firefox or Chrome from a different computer and then put the file on the flash drive and then install it from there.....

Re: Microsoft Internet Explorer users beware - Vulnerability in IE

IE sucks big time

Our Uni server got hacked because of IE lol

For my my last couple of contracts I was surprised to find out that some big O&G companies still uses IE6 for some of their web apps. For some apps chrome worked fine but employees were instructed to use only IE for those portals.

Re: Microsoft Internet Explorer users beware - Vulnerability in IE

Even though IE comes pre-installed into our systems at work, I developed our portals using FireFox and have a note on the portals that the site is best viewed in FireFox. :)

Re: Microsoft Internet Explorer users beware - Vulnerability in IE

I recently built an HTML/JS app that was viewed on public places. The supported platform was IE8. Oh man don't ask me how hoops I had to jump through to make all those x-domain calls and CSS quirks.

Re: Microsoft Internet Explorer users beware - Vulnerability in IE

I had to make my applications IE7 and IE8 compatible. That was my worst nightmare.