Microsoft discloses zero day in all versions of Internet Explorer

Summary:UPDATED: Attacks in the wild affect only IE versions 9 through 11 and rely on Flash. "Heap feng shui" strikes again.

Late Saturday Microsoft revealed a vulnerability in all versions of Internet Explorer that is being used in "limited, targeted attacks." They are investigating the vulnerability and exploit and have not yet determined what action they will take in response or when.

All versions of Internet Explorer from 6 through 11 are listed as vulnerable as well as all supported versions of Windows other than Server Core. Windows Server versions on which IE is run in the default Enhanced Security Configuration are not vulnerable unless an affected site is placed in the Internet Explorer Trusted sites zone.

The vulnerability was reported to Microsoft by research firm FireEye. FireEye says that, while the vulnerability affects all versions of IE, the attack is specific to versions 9, 10 and 11. It is a "use after free" attack in which memory objects in the browser are manipulated after being released. The attack bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

The specific exploit, according to FireEye, uses an Adobe Flash SWF file to manipulate the heap with a technique called heap feng shui. Neither Microsoft nor FireEye says it, but this implies that systems without Flash installed are not vulnerable to the specific exploit, although they are to the underlyng vulnerability in Internet Explorer. Internet Explorer 10 and 11 come with Flash embedded, so they are vulnerable by default.

EMET, the Enhanced Mitigation Experience Toolkit, will also make it more difficult to exploit this vulnerability.

Update 1: Microsoft has updated their advisory for this vulnerability to clarify workarounds.]

Update 2:  Microsoft has patched this vulnerability , and details about how the exploit worked  have been disclosed .]

Topics: Security, Microsoft, Windows

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.