Microsoft confirmed that a new vulnerability has been identified in Internet Explorer (IE). The flaw affects IE versions 6-11 and Microsoft said it was aware of “limited, targeted attacks” to exploit it. While all versions of the web browser, IE 6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm FireEye, which first reported the flaw Friday.
According to NetMarket Share, the IE versions account for more than 50 percent of global browser market.
The attack leverages a previously unknown “use after free” vulnerability, data corruption that occurs after memory has been released, and bypasses both Windows DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) protections, according to FireEye.
Microsoft says it is investigating the flaw and will take appropriate steps.
The vulnerability is currently being exploited by a group of hackers targeting financial and defense organization in the US, FireEye told CNET.
“The APT [advanced persistent threat] group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (for example IE, Firefox, and Flash) in the past,” FireEye said. “They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
“The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.” – Microsoft.
However, the issue may be of special concern to people still using the Windows XP operating system since Microsoft ended official support for that system earlier this month.
About 30% of all desktops are thought to be still running Windows XP and analysts have previously warned that those users would be vulnerable to attacks from cyber-thieves.
Cyber security firm Symantec said it had carried out tests which confirmed that “the vulnerability crashes Internet Explorer on Windows XP”.
Microsoft has suggested businesses and consumers still using the system should upgrade to a newer alternative.