- dotTech - https://dottech.org -

Internet Explorer 8 and earlier is vulnerable to criminal attacks due to new security hole

internetexplorer8 [1]

It looks like the bad news for Microsoft’s Internet Explorer just keeps piling on, with every other day seemingly bringing news about a new security problem for the browser.

This time, however, users of the most recent versions — namely Internet Explorer 9 and 10, can rest easy. A new security hole that criminals are using for targeted attacks is only exploitable on earlier versions of the browser. While it’s good news that not everyone is affected, it still leaves all users still on IE 6, 7 and 8 vulnerable to the attack. This is also bad news for Windows XP users as the more recent and immune versions of Internet Explorer are not compatible with their operating system.

The zero-day exploit was first discovered on website of the Council on Foreign Relations (CFR), which had been hacked and was hosting malicious code beginning December 21. The CFR website security team is thankfully already aware of the issue and investigating the situation, according to David Mikhail who is a spokesperson for CFR. He adds, “We are also working to mitigate the possibility for future events of this sort.”

The malicious code is only served to browsers in either English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean or Russian languages. One it passes initial checks, Javascript will proceed to load an Adobe flash file named “today.swf.” This file triggers a heap spray in the browser and downloads a file called “sxainfo.jpg.”

Microsoft has released a temporary fix in the form of Security Advisory 2794220. Dustin Childs of Microsoft Trustworthy Computing says, “While we actively work to develop an easy, one-click Fix it solution and security update for this issue, we strongly encourage that customers apply the mitigations and workarounds described in the advisory.”

If you are on Internet Explorer 8 or below, do yourself a favor and follow Microsoft’s advisory at the link below! Better yet, switch to another browser until this problem is truly patched.

Security Advisory 2794220 [2]


[via The Next Web [3], image via eyeliam [4]]