Zero-day loophole in older IE browsers found

Zero-day loophole in older IE browsers found

Summary: Attackers can exploit the Internet Explorer vulnerability to gain same user rights as the current user and launch malicious Web sites, according to Microsoft.

TOPICS: Security, Microsoft

Microsoft is looking into a vulnerability in older versions of its Internet Explorer (IE) browser which, when exploited, could give the attacker administrative user rights on the computer and host malicious Web sites.

In a security advisory issued last Saturday, the software giant said it is investigating public reports of the zero-day loophole in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. Newer versions IE9 and IE10 are not affected by this vulnerability, it added.

The company said the remote code execution vulnerability lies in the way "IE accesses an object in memory that has been deleted or has not been properly allocated".

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft stated.

Once administrative rights are gotten, they could then launch malicious Web sites targeting unsuspecting Internet users.

"In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site," Redmond added.

Once investigations are completed, Microsoft said it will take the "appropriate action" to protect its customers, which may include providing a patch through its usual monthly security update process or an out-of-cycle security update.

Topics: Security, Microsoft

Kevin Kwang

About Kevin Kwang

A Singapore-based freelance IT writer, Kevin made the move from custom publishing focusing on travel and lifestyle to the ever-changing, jargon-filled world of IT and biz tech reporting, and considered this somewhat a leap of faith. Since then, he has covered a myriad of beats including security, mobile communications, and cloud computing.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • They also found that IE6, IE7, and IE8 are... old

    So is XP. Get over it and move on people.
    Johnny Vegas
    • Interesting. In what other

      Industry would you excuse a manufacturer defect by saying get over it and just buy the new product?
      • Excuses.

        Really not needed. Look at Apple. j/k
  • Do you know how much time we'd save...

    If ZDNET just published one article stating "Microsoft makes swiss cheese products which have been proven without a doubt to be virus supporting and full of holes and spaghetti code." And then just repeated the same article every day. Truth in publishing. Love it.

    Oh, and this makes it look like IE 10 or whatever is safe; well, in two years or so, we'll find it was just as full of holes as everything else's Microsofts 'wizards of programming' have developed.

    It amazes that people actually spend their hard earned money, and have spent it, for the past 20 years on this absolute crap that MS makes. But, people also bought the Pinto when it was exploding into flames just by sitting by itself awaiting to have its promo pictures taken. PT Barnum would be proud of Bill 'Convicted Predatory Monopolist' Gates.
    • Nothing swiss cheese about it.

      At least no more so than any other operating system.
    • I bet you didn't know this

      All software gets updates, even OS X and Linux get software updates.
      Michael Alan Goff
  • Microsoft

    Am I the only one that thinks Microsoft does this on purpose to force people to upgrade to heir "new and safe" (and crappy) Windows 8? Seems a little coincidental time wise.
    • you probably are

      Windows 7 is getting IE 10
      Michael Alan Goff
    • Microsoft does this on purpose to force people to upgrade

      You are right. Microsoft does mess with things so that you might upgrade. I use XP and IE 8. Never had a problem until all the updates lately. Now I get IE 8 not responding all the time. Have to double click and wait for it to re-connect. very annoying.
      • How long should they support XP?

        That's a serious question.
        Michael Alan Goff

    Wow, the trolls are working hard today. Who hasn't updated IE by now knowing darn well that the older ones are full of problems? Esshhh. Even moving to a different browser all together? If those people still running with older versions are crying and slinging manure because they refuse to update then that's their problem. Software gets repaired and fixed all the time it's called new releases.
  • IE IE EI Oh ?

    How about a patch that aloows us to install the browser of our choice ...kinda what was first planned for Win 7. Simple fix and cost effective and if Bill lies he can even call it Green.
    • You don't know how to install other browsers?

      Because I can install other browsers on my bootcamp partition. I can even make Chrome the browser on the Modern UI.
      Michael Alan Goff