Zero-day loophole in older IE browsers found

Summary:Attackers can exploit the Internet Explorer vulnerability to gain same user rights as the current user and launch malicious Web sites, according to Microsoft.

Microsoft is looking into a vulnerability in older versions of its Internet Explorer (IE) browser which, when exploited, could give the attacker administrative user rights on the computer and host malicious Web sites.

In a security advisory issued last Saturday, the software giant said it is investigating public reports of the zero-day loophole in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. Newer versions IE9 and IE10 are not affected by this vulnerability, it added.

The company said the remote code execution vulnerability lies in the way "IE accesses an object in memory that has been deleted or has not been properly allocated".

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user . Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft stated.

Once administrative rights are gotten, they could then launch malicious Web sites targeting unsuspecting Internet users.

"In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site," Redmond added.

Once investigations are completed, Microsoft said it will take the "appropriate action" to protect its customers, which may include providing a patch through its usual monthly security update process or an out-of-cycle security update.

Topics: Security, Microsoft

About

A Singapore-based freelance IT writer, Kevin made the move from custom publishing focusing on travel and lifestyle to the ever-changing, jargon-filled world of IT and biz tech reporting, and considered this somewhat a leap of faith. Since then, he has covered a myriad of beats including security, mobile communications, and cloud computing... Full Bio

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.