bit-tech.net

Microsoft warns of critical IE9, IE10 zero-day

Microsoft warns of critical IE9, IE10 zero-day

Microsoft's Internet Explorer 9 and 10 are both vulnerable to a zero-day flaw in the MSHTML shim, with Microsoft recommended a Fix It workaround until a formal patch is released.

Microsoft has issued a warning regarding another unpatched zero-day vulnerability in its Internet Explorer 9 and 10 browsers, which can allow for arbitrary code execution simply through visiting a malicious webpage.

Confirmed late yesterday in an official security advisory, the flaw is serious: while Microsoft claims to be aware of only 'limited, targeted attacks' against the vulnerability the lack of an official patch coupled with the wide spread of Internet Explorer means that ne'er-do-wells will be racing to exploit the vulnerability before Microsoft can issue an update to close the hole.

'This issue allows remote code execution if users browse to a malicious website with an affected browser,' confirmed Microsoft group manager of response communications Dustin Childs of the flaw. 'This would typically occur by an attacker convincing someone to click a link in an email or instant message. We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.'

Although no automatic fix is likely to be released before next Patch Tuesday, on the second Tuesday of March, the company has deemed the vulnerability severe enough to offer a Fix-It workaround which disables the affected MSHTML shim until a formal fix can be released - but doing so will, naturally, result in any software which relies on the shim failing to work correctly. Alternative workarounds for the flaw include upgrading to Internet Explorer 11, which is not affected, or installing the Enhanced Mitigation Experience Toolkit the status of which current attacks look for before installing themselves refusing to do so if the toolkit is present.

This is far from the first time a major remote-code execution vulnerability has been discovered in IE's MSHTML shim: the same component has been blamed for multiple such flaws in the security of the browser, most recently in January 2013 and again in September of that year.

4 Comments

Discuss in the forums Reply
SAimNE 20th February 2014, 21:46 Quote
oh god internet explorer i better tell... a very small percentage of microsoft/xbox diehard fanborys, and about 12 people in the retirement home near here.

that about covers my 200mile radius, you guys do your parts too.
cnyrsitizin 20th February 2014, 23:55 Quote
Wouldn't the easiest work around be to use Firefox or Chrome?
GiantKiwi 21st February 2014, 00:48 Quote
Quote:
Originally Posted by SAimNE
oh god internet explorer i better tell... a very small percentage of microsoft/xbox diehard fanborys, and about 12 people in the retirement home near here.

that about covers my 200mile radius, you guys do your parts too.

Got any estate agents near you? I can guarantee they are using exclusively IE, likely no higher than IE8, are still using Office Suites for than a decade old, etc.
RichCreedy 21st February 2014, 00:49 Quote
Quote:
Originally Posted by cnyrsitizin
Wouldn't the easiest work around be to use Firefox or Chrome?

yeah cos they don't have any security issues of their own
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums