Microsoft says there is a zero-day flaw in its legacy Internet Explorer browser that has been exploited by hackers. According to the company and researchers, the vulnerability works across Windows 7, Windows 8.1, and Windows 10.
In a note, Microsoft says the flaw is a “moderate” threat found on Windows Server hardware. For consumer users of Windows 10, the threat has been deemed “critical”.
Furthermore, the problem affects some of the latest Internet Explorer versions. Specifically, IE 9,10, and 11.
In its report, Microsoft says the exploit is a remote code execution that gives bad actors the ability to access a system with the same privileges as someone logged in. If that access is on an admin account, the access would be total.
Such an attack would be conducted through a fake website that victims are directed to.
An attacker can be carried out through a crafted website, Microsoft explains.
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft says in an advisory.
Microsoft says an automatic fix will be rolling out shortly. In the meantime, the company points to a manual fix. You can check out the fix on Microsoft's advisory.
Internet Explorer Vulnerabilities
Last year, A researcher published a zero-day Internet Explorer exploit that Microsoft allegedly refused to patch. John Page's proof-of-concept detailed a method attackers can use to remotely steal files from a Windows PC.
“Upon opening the malicious ‘.MHT' file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab ‘Ctrl+K' and other interactions like right click ‘Print Preview' or ‘Print' commands on the web-page may also trigger the XXE vulnerability,” explained Page.
“However, a simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage. Importantly, if files are downloaded from the web in a compressed archive and opened using certain archive utilities MOTW may not work as advertised.”