It has been a rough week for Internet Explorer. Over the weekend Microsoft released Security Advisory 2963983 about a zero-day exploit in IE which is being used in the wild. Then yesterday Adobe released an emergency security update to fix a critical flaw in its Flash Player. As a result of Adobe’s patch, Microsoft has also updated the version of Adobe Flash Player built-in to Internet Explorer 10 and 11.
The zero-day exploit in IE allows attackers to execute arbitrary code if users visit a malicious website with an affected browser. In the worst case scenario the vulnerability can be used to silently install malware on a PC without any interaction with users, just because they visited a hacked or malicious site.
The vulnerability was found by FireEye which its own advisory. According to FireEye, the zero-day exploit affects IE6 through IE11, but the attacks seen in the wild are only targeting IE9 through IE11. “The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” wrote Xiaobo Chen, Dan Caselden and Mike Scott for FireEye.
Dustin Childs from Microsoft’s Security Response Center wrote that IE users should “exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders.” There is currently no Fix It or patch for this zero-day exploit, however Microsoft did release some workaround information as part of the security advisory.
The Flash Player vulnerability was discovered by Kaspersky Lab. According to Vyacheslav Zakorzhevsky, Kaspersky Lab detected two new Flash exploits which it hadn’t seen before. They sent the exploits off to Adobe and the company has now confirmed that they are indeed new zero-day vulnerabilities.
The Flash update for IE applies to Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT, and for Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.