The Department of Homeland Security’s U.S. Computer Emergency Response Team is urging online users to avoid using Internet Explorer, versions 6 through 11, in light of a vulnerability that exposes the Web browser to a zero-day exploit involved in recent targeted attacks. DHS urges users and administrators to “consider employing an alternative Web browser until an official update is available.”
The exploit was first identified by security firm FireEye, which outlined the vulnerability in an April 26 blog post. The company says the exploit is significant because the vulnerable browsers “represent about a quarter of the total browser market.”
US-CERT, in an April 28 statement, says the vulnerability “could lead to the complete compromise of an affected system.”
In addition, Carnegie Mellon University’s CERT program says the vulnerability can allow for a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. “This vulnerability is being exploited in the wild,” Carnegie Mellon’s CERT says. “Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. Note that exploitation without the use of Flash may be possible.”
Carnegie Mellon’s CERT says it’s unaware of a practical solution to this problem. But it recommends the use of the Microsoft Enhanced Mitigation Experience Toolkit to help prevent exploitation of this vulnerability.
The European Network and Information Security Agency issued an alert April 28, saying this exploit is a “serious zero-day attack on society … which demonstrates that there is no 100 percent security.”
Visit Healthcare Info Security for the full article.