News

'Extremely Critical' IE Exploit in the Wild

Users running fully patched versions of Internet Explorer are vulnerable to a new exploit in the wild that has been used to load adware onto systems whose owners did nothing more than click on a malicious Web address, according to security researchers.

Secunia, a security firm, labels the problem "extremely critical." The company uses the designation for remotely exploitable vulnerabilities that can lead to system compromise, don't normally require interaction and have exploits in the wild.

Unlike most exploits, the IE flaw appear to be a so-called "zero-day exploit" -- in that the exploit appeared before an official Microsoft patch was issued for the underlying flaw. In most cases, exploits are developed after Microsoft or independent security researchers publicly expose the problem along with a simultaneous patch. In those cases, Windows users and malware authors are in a race -- users to patch their systems and malware authors to create an exploit based on the flaw before most systems are protected.

Microsoft, which released its monthly batch of security patches for June on Tuesday, did not have any warnings or information posted about the problem on its main security pages such as www.microsoft.com/security as of mid-afternoon Thursday. A Microsoft spokesperson said the company is reviewing the issue.

"Microsoft is actively investigating public reports of a malicious attack exploiting vulnerabilities in Internet Explorer and will continue to investigate to determine the appropriate course of action to protect our customers," the spokesperson said. "This might include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."

If Microsoft does release a fix before its next Patch Tuesday, which would fall on July 13, it would be only the second time it has issued an out-of-cycle patch since instituting its monthly patching cycle last year.

For customers who want to minimize risks, the spokesperson provided links to two older Microsoft documents that don't specifically reference the problem. One is a page of safe browsing tips at www.microsoft.com/security/incident/settings.asp. The other is for enterprise customers looking to minimize risk by increasing the security of the Local Machine Zone in IE: support.microsoft.com/default.aspx?scid=kb;en-us;833633.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.