Microsoft discloses zero day in all versions of Internet Explorer

Microsoft discloses zero day in all versions of Internet Explorer

Summary: UPDATED: Attacks in the wild affect only IE versions 9 through 11 and rely on Flash. "Heap feng shui" strikes again.


Late Saturday Microsoft revealed a vulnerability in all versions of Internet Explorer that is being used in "limited, targeted attacks." They are investigating the vulnerability and exploit and have not yet determined what action they will take in response or when.

All versions of Internet Explorer from 6 through 11 are listed as vulnerable as well as all supported versions of Windows other than Server Core. Windows Server versions on which IE is run in the default Enhanced Security Configuration are not vulnerable unless an affected site is placed in the Internet Explorer Trusted sites zone.

The vulnerability was reported to Microsoft by research firm FireEye. FireEye says that, while the vulnerability affects all versions of IE, the attack is specific to versions 9, 10 and 11. It is a "use after free" attack in which memory objects in the browser are manipulated after being released. The attack bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

The specific exploit, according to FireEye, uses an Adobe Flash SWF file to manipulate the heap with a technique called heap feng shui. Neither Microsoft nor FireEye says it, but this implies that systems without Flash installed are not vulnerable to the specific exploit, although they are to the underlyng vulnerability in Internet Explorer. Internet Explorer 10 and 11 come with Flash embedded, so they are vulnerable by default.

EMET, the Enhanced Mitigation Experience Toolkit, will also make it more difficult to exploit this vulnerability.

Update 1: Microsoft has updated their advisory for this vulnerability to clarify workarounds.]

Update 2: Microsoft has patched this vulnerability, and details about how the exploit worked have been disclosed.]

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "All versions of IE from 6 through 11 are listed as vulnerable"

    Which means that this vulnerability has been there for at least 12 years, possibly more...
    • Most have been..

      in the windows OS for years hence the never ending patches that have plagued it for over a decade now.
      I would love to see Windows go open source so we can scour the code for atrocities. It could never be fixed though because it would take a total re-write of the OS
      • mythology

        recent history shows that just because something's open source doesn't mean people look at the source code for the bugs. Very old bugs are always being found in all kinds of old products.
        Larry Seltzer
        • Except that the number of such security failures

          are minuscule compared to Microsofts failures.

          And quickly fixed too.
          • Not true

            I've seen studies of these things. You can get counts from the CVE database. Microsoft products (the ones from the SDL era) have fewer vulnerabilities which are less severe and updated more quickly.
            Larry Seltzer
          • Patch Deployment

            Patch deployment is a two step process. The vendor/producer must write, test, and release the patch to all potential users. Then the users must install the patch. In most cases the first part is usually done reasonably fast by many producers. But the producers have no control on whether the patch actually gets installed by users, home or business. Many MS patches are not installed in timely manner by some users. I have heard reports of exploits using a hole that was patched several months earlier but many users failed to patch their systems.
          • And?

            "Many MS patches are not installed in timely manner by some users. I have heard reports of exploits using a hole that was patched several months earlier but many users failed to patch their systems."

            Who's fault is this?
          • Fault

            The user once the patch is available.
          • RE: Not true

            First of all the CVE database does not compile that information so you must be hallucinating. Second, the United States Military chooses Linux. The international space station just got rid of all Microsoft products claiming that they were not reliable enough. Third, was the 2008 .Net London Stock Exchange collapsed. They abandoned Microsoft for Linux. The US Navy not totally powers their war ships with Linux. The list goes on and on. Think of all the executives who are going to get fired because they chose Microsoft for their ATMs and POS devices and not they are going to have to make them all over again because Microsoft refuses to support XP anymore even though 33% of the world still uses it. Linux will never go out of support. It will be updated for life eternal.
            Tim Jordan
          • Tim The military all use Linux?

            The US military uses Linux??? MS and MS Office in my military offices and bases. What alt. Universe are you from? Perhaps your tin foil cap is leaking. Out, not in.
          • I used to work for DOD Navy (NavSea)...

            ...and you know why the powers that be picked Linux? Go on, guess.

            Let me help you: Because someone told them Linux was free, that they wouldn't have to pay for licenses.

            What that particular rocket scientist didn't tell them was that while Linux was free (RedHat was their distro of choice) the support contracts for the systems they installed RedHat Linux on costs them MORE than licensed Microsoft versions.

            And yes, after the fact someone compiled the licensing information and showed them that they screwed the pooch financially.

            Had nothing to do with reliability or security and everything to do with perceived TCO savings (which they now realize they failed miserably at). Oh, and when RedHat Linux was deployed to the fleet, you know what happened?

            The sailors charged with running the systems screamed bloody murder because the software they need to use to defend the ships, coordinate helos for undersea warfare ops, etc, that all had to be re-written because what was written to work on Windows wouldn't work on Linux. So they spent a number of years re-writing the software from the ground up in Java. And what the fleet got didn't work right, which means the systems all had to be reverted to Windows with the previous version of the software.

            So um... yeah. Good decision there.
          • Space cadet writing.

            I spent 25 years supporting the United States military. Linux was evaluated. It failed our requirements in security. Utterly. Microsoft allows the US military to access the source code and works alongside to create special versions of the OS, the Air Force uses Windows Gold. Microsoft reaps the benefit of immediate access to the results of military grade attack paradigms. You, sir, are a complete shill.
            The Heretic
          • Packages

            Thousand of flaws coming from hundreds different packages: that is Lisux.
            Lots of bugs, many vendors to blame, not just one.
          • I've seen studies too...

            And most of them report fewer errors per unit of code than what proprietary companies can do...
          • It will be months before Heartbleed is fully deployed.

            The patch was available? But like Android, it will be visible for months.
          • And there's a perfect reasonable explanation for that.

            Windows is by far, the most popular OS.

            If Apple had the majority share of the market, there is no doubt that they would have the exact same issues.

            And no, the "UNIX IS MORE SECURE" argument doesn't work here.

            A majority of these "flaws" are complex workarounds, so who's to say that they wouldn't do the same?

            In fact, this is a good thing for Microsoft.

            They may have had the most reports of security problems, but they also hold the record for the most fixes and solutions.

            Both Mac OS and Linux-based operating systems have obvious holes that we don't even know about yet, simply because they aren't bombarded by hackers every day.

            Security through obscurity can only go so far.
          • There's nothing "obscure" about Open Source code

            Cookie, your power to twist reality is amazing: Open Source code is open, by its very definition. Nothing is hidden because there's nowhere for it to hide.

            And when you consider that things like Open Source servers and mobile operating systems are common-place, I would dispute that it isn't "bombarded by hackers every day" as well.
          • I'm not twisting reality.

            I'm stating it exactly the way it is.

            Obscurity is "the state of being unknown, inconspicuous, or unimportant".

            OS X holds less than 10% of the market-share, while Linux holds less than 5%.

            And the last time I checked, servers and smartphones WERE NOT PCs.

            Besides, just because your code is open source doesn't mean that hackers won't target it.

            Why do you think Mac OS (closed-source) and Linux-based (open-source) operating systems get security patches?

            What is your argument against me, exactly?

            Are you trying to claim that Linux is targeted more than Windows.
          • And "security through obscurity" is defined like this.


            "Security through obscurity is generally a pejorative term referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security."

            Your attempt to twist this into applying to Open Source is ludicrous.
          • Is your argument so weak you need to resort to being a pedant?