Microsoft on Sunday published a new security advisory warning users that a new vulnerability (reference number CVE-2014-1776) has been found to affect all Internet Explorer versions, from Internet Explorer 6 to Internet Explorer 11, although a fix for it isn’t available yet. The security issue has been discovered by security firm FireEye.
“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” Microsoft said. “An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
However, the flaw only works once a user has been convinced to visit a certain websites. Otherwise, the issue won’t harm Windows users. “In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability,” the company said. “In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
Furthermore, the security flaw reveals that “an attacker who successfully exploited this vulnerability could gain the same user rights as the current user.” Thus, users whose accounts have fewer rights could be less impacted by others.
While it’s investigating the security threat, Microsoft advises users to “deploy the Enhanced Mitigation Experience Toolkit 4.1,” or EMET, which would add extra protection layers “that make the vulnerability harder to exploit. Additionally, users can also set the Internet and Local intranet security zone settings to “High” to block the ActiveX Controls and Active Scripting.
The company is aware of “limited, targeted attacks,” that attempted to take advantage of the flaw, but didn’t explain exactly what happened. FireEye said that the new Internet Explorer attack has been included in a hacking campaign against U.S. financial and defense companies, without providing further details.
The problem may be of particular concern to Windows XP users, considering that Microsoft does not support that particular Windows version anymore.