Security firm FireEye has just disclosed a new zero-day vulnerability that is being used to attack more recent versions of Internet Explorer. This exploit leaves almost 25 percent of the browsers in the market quite defenseless and open to hacker attacks.
That number might be somewhat unbelievable considering the reputation that Microsoft’s web browser has, but there are indeed figures to back it up. As of 2013, NetMarket Share says that Internet Explorer version 9 makes up at around 13.9 percent of the market, while IE10 holds 11.04 percent and the newer IE11 only 1.32 percent. That does add up to quite a sizable sum of users and potential targets of this new exploit. While the vulnerability is actually exhibited in IE versions 6 through 11, FireEye claims that actual attacks have been more focused on the most recent three.
The vulnerability exploits what is known as use-after-free error, which basically tries to use a piece of memory after it has already been released by the operating system, resulting in the ability to execute code that would otherwise be disallowed. The exploit is able to bypass both the Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) security systems which have been put in place to prevent this exact kind of unauthorized behavior. FireEye reports that the exploit utilizes Adobe Flash as the means of triggering the vulnerability.
Microsoft has been made aware of the security flaw and has issued a security advisory while a permanent fix is still in the works. Microsoft recommends that users to employ even more security features in Windows, particularly the Enhanced Mitigation Experience Toolkit or EMET, versions 4.1 and 5.0TP to be specific, as well as to run Internet Explorer in Enhanced Protected Mode. FireEye also recommends disabling Flash, since it is the vehicle of the exploit, at least until a patch is made available.
This incident might yet shed even more negative light on the recent situation with Windows XP. Having officially reached its end-of-life, It is highly unlikely that Microsoft will release a patch for this version of the operating system, forcing its remaining users to either live with a vulnerable version of Internet Explorer or upgrade to a newer Windows version, which Microsoft will probably prefer more.