In a security advisory that it issued this past week, Microsoft confirms that it is investigating a certain loophole found to affect Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8. Elaborating on the vulnerability, Microsoft states that it is a remote code execution vulnerability. What is worrying is that once the attacker manages to successfully crack the vulnerability, he can obtain for himself the same user rights as the current user. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft's security advisory reveals further.
The attacker may even go ahead and host malicious websites and then 'convince a user to view the website'. The vulnerability in question has not been found to affect Internet Explorer 9 and Internet Explorer 10. Microsoft, in its advisory, has revealed further that the vulnerability is in the way IE gets through an object in memory that has been deleted or 'has not been properly allocated'.
Newly identified vulnerability found in Internet Explorer
Elaborating on this, Microsoft goes on to explain that in a web-based attack scenario, an attacker could host a website with the webpage used to exploit this loophole. However, the advisory agrees that there is no way that an attacker can force a user to access these malicious websites. What he can do instead, is convince them; this he can do by getting them to click links in an email or IMs.
On its part, Microsoft has affirmed that it will take necessary action once it finishes investigation. The solution may be by the way of offering a solution through its monthly security update release process or an out-of-cycle security updates – depending on user needs.
Microsoft's security advisory reads further, “We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. In addition, we are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.”
Earlier this month, a security loophole discovered in Internet Explorer was found to be potent enough to track a user's cursor movements, even if their window was inactive, minimised or unfocused. Naked Security reported that the vulnerability was first brought to light by spider.io, vendor of a hosted platform that the company says allows users to distinguish between human website visitors and bots in real time. Interestingly, Spider.io informed the existence of the flaw to Microsoft in October, while adding that the IE version 6-10 were affected. While Microsoft Security Research Center admitted to there being a flaw, it informed spider.io that it has “no immediate plans” to patch it in existing browser versions; it was then that it revealed the flaw.
The security loophole essentially allows attackers to track an IE user's mouse movements, even if they haven't installed any software as such. All that attackers have to do is buy a display ad slot on any website. Spider.io adds, “This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector.”