Microsoft confirmed over the weekend that a newly discovered critical vulnerability in Internet Explorer is being exploited by cyber-criminals to gain access to a computer’s memory to execute “drive-by” attacks.
“Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11,” said the company in their announcement made last Saturday.
Microsoft has explained that the vulnerability may enable attackers to gain full access to a user’s computer data just through luring them to a specifically created website. The company explains:
“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
Microsoft is currently investigating the issue and once a solution is found the company may release an out-of-cycle security update or wait until their monthly security update rolls out to fix the vulnerability. While this is good news for those running Windows Vista, Windows 7, or even Windows 8.1 on their computers, those with Windows XP will be left the most vulnerable as Microsoft ended support for the operating system only weeks ago although the company did provide ways for users of Windows XP and their other operating systems to mitigate possible attacks. Microsoft is also working with members of their Microsoft Active Protections Program, a vulnerability information early-access program created for security software developers, to help strengthen their products for consumers.
In the meantime, Microsoft has recommended that users install the Enhanced Mitigation Experience Toolkit 4.1 from Microsoft’s website to mitigate the possible attacks on their systems. They’ve also recommended setting Internet Explorer’s “Internet and Local intranet security zone” settings to “High”, enabling Enhanced Protected Mode, and modifying specific files such as “vgx.dll”.