Out-Law News 2 min. read
18 Sep 2012, 2:07 pm
The software giant issued a 'security advisory' on Monday in which it said it was looking into a "vulnerability" that has been identified in IE versions 6, 7, 8 and 9. The company said it was "aware" that there had been "targeted attacks" by hackers looking to "exploit" the problem.
"A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated," the security advisory notice said. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
IE 10 is "not affected" by the issue, Microsoft said. The company was responding after the Federal Office for Information Security in Germany reported the problem earlier this week, according to a report by the Washington Post.
Microsoft said that some of its browsers and email software contain security features that help prevent attacks from hackers. However, it warned its users with examples of how attackers may take advantage of the weaknesses in its browser security.
"If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario," Microsoft said in its security advisory. "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
"In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website," it added.
Microsoft said that it would take "appropriate action" to protect its customers. The company said it could provide a "solution" to the problem through issuing a security update. It said it was working with its "partners" to "monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability".
The company said that customers should set up a "firewall", install all "software updates" and use "anti-virus and anti-spyware software" to protect themselves from attack.
Microsoft also identified a number of "workarounds" that customers can turn to in order to "help block known attack vectors before a security update is available."