Zero-day bug discovered in Internet Explorer 8
A new remote code execution vulnerability that is actively used to break into computers has been discovered in Internet Explorer 8. The flaw received widespread attention due to at least one high profile attack, when the United States Department of Labor website hacked and planted with malicious code in a "watering hole" attack last week.
Microsoft (NASDAQ: MSFT) acknowledged the problem in a new security advisory published on Friday. According to Microsoft, the vulnerability is related to how IE 8 accesses an object in memory that has been deleted or that hasn't been properly allocated.
Memory could be corrupted to allow a remote attacker to execute arbitrary code in the context of the current user. The problem does not affect other versions of Internet Explorer, such as IE9 or IE10, though all operating systems that run IE8 are at risk.
IE8 is the most widely used web browser that is currently supported by Microsoft, accounting for some 41 percent of browsers by the company, according to Network World. Microsoft has not offered a timetable for a fix, and there may not be sufficient time to ready an update for the company's next Patch Tuesday on May 14. However, Microsoft has been known to release out-of-band updates to resolve serious security problems.
Discovery of this IE8 zero-day has been credited to researchers at FireEye and iSIGHT Partners. For now, users on IE8 are urged to upgrade to either IE9 or IE10, though these options are not available for users on Windows XP.
- check out this article at Network World