Yesterday Microsoft took to the Technet Advisory Board to warn all users of Internet Explorer that a remote code execution zero day had been discovered inside their browser.
“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
First revealed by security firm FireEye, the team of researchers responsible for the find warn that although the attack is specifically targeted at the most recent iterations of IE, (9,10, and 11), it can still work its way into versions going as far back as IE6, which is the earliest update still supported by a majority of pages hosted on the open web.
The exploit is able to easily bypass the Data Execution Prevention system, as well as the ASLR algorithm normally designed to stop these types of breaches in their tracks.
Perhaps unsurprisingly, the source of the crack is based on a falsified SWF file that launches Flash objects at the browser until it finally splits open. Sort of a mini, Flash-based DDOS that can still affect versions of IE that don’t have Flash or Java enabled on their browser by fooling the system into accepting the package by imitating the systems that are put in place to accept those types of files.
Once inside the browser, the remote execution bug allows attackers to take user-level control of privileges and services on their host machine, essentially granting Administrator access to anyone aware of the hole through the web browser alone.
There are several different attack vectors to watch out for with this hack, including phishing attacks that take advantage of falsified SSL certificates to trick users into downloading files from an unknown source, and email attachments hidden within supposedly innocent .zip files sent from “a friend” in your contact list.