Categories: SecurityWorkspace

Internet Explorer Zero-Day Exploit Code ‘Widely Available’

Security researchers are warning about an unpatched Internet Explorer flaw as the exploit code is now widely available for hackers to use.

Exploit code has now been submitted to virustotal.com and scumware.org, whilst attacks using the flaw were seen hitting Japanese entities, perpetrated by the same hackers who hit on security firm Bit9 earlier this year.

Microsoft itself warned the flaw had been used in a limited number of targeted attacks, but now crooks across the world have easy routes to carry out malicious campaigns.

Internet Explorer attacks

The vulnerability has likely been present since Internet Explorer 6 was released in 2001, as all versions are said to be affected. Attacks seen so far have targeted IE8 and 9, but it is not known why.

The Japanese campaign has been ongoing since at least 19 August, according to FireEye. The group using the IE exploit is believed to be Chinese and is believed to have strong backing, either from a rich private entity or a government.

“This is about to become as severe as any browser issue can be,” said Rapid7’s Ross Barrett. “There were reports of regionally restricted public exploitation of the issue, but now that the exploit code is in the wild it’s only a matter of time before it appears in commercial malware packs and broader exploitation.

“The vulnerability allows the attacker to gain the privileges of the user. All too often on Windows that means Administrator level privileges.

“The simplest way to avoid this risk is to use a browser other than Internet Explorer.”

For those users and organisations who cannot avoid Internet Explorer, which includes all of the UK government, Microsoft has a “fixit” solution, which can be found here.

Microsoft has not said whether it will issue an out-of-band patch or deliver in its next Patch Tuesday, due in three weeks’ time.

How much do you know about information security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago