New IE zero day, exploit in the wild
Microsoft warns of new zero day exploit that exists in all supported versions of Internet Explorer. The attack is targeted at Internet Explorer 8 and 9.
The vulnerability, dubbed CVE-2013-3893, already being exploited in the wild, may lead to memory corruption, which allows an attacker to execute malicious code in Internet Explorer remotely. Victims could be infected despite taken necessary countermeasures due to the nature of the flaw previously unknown. Often, security experts find out about the flaw only when they discover the malware, hence the “zero day” tag.
Microsoft posted details about the bug in a security advisory and released a temporary Fix it solution for the flaw.
“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” says Microsoft advisory.
After applying the Fix it solution, users are also advised to set their internet and local intranet security zone settings to ‘high’ to prevent exploitation of the bug.
In the advisory, Microsoft reported that it was actively working for a patch to resolve this issue, most probably in it’s next month security update to be due on October 8.