New IE10 zero-day exploit found; could be targeting U.S. military

Microsoft may have released new Internet Explorer security patches earlier this week, but now the company has confirmed that a new zero-day exploit in IE10 has been found and is apparently being used by an unknown group to target members of the U.S. military.

The flaw was found by the security firm FireEye, which it says was used by the mystery hackers to compromise the website of the U.S. Veterans of Foreign Wars. The firm states:

We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend.

Visitors to the site with IE10 loaded another page created by the group in the background, which runs a Flash-based object that completes the rest of the attack. This issue is just with IE10; users who upgrade to the current IE11 browser are not affected by this exploit.

In a statement sent to Computerworld, Microsoft says it is aware of the IE10 zero-day issue and added, "We are investigating and we will take appropriate actions to help protect customers." IE10 currently has 9.28 percent of the worldwide web browser market share, according to Net Applications, but its percentage has gone down rapidly in the past few months since the launch of IE11.

Source: FireEye via Computerworld | Image via U.S. Veterans of Foreign Wars

Report a problem with article
Previous Story

Xbox One storage management update now rolling out

Next Story

HTC: 'We're working with Microsoft on the Blue update on Windows Phone 8X'

22 Comments

View more comments

Kind of unnecessary, can't you sandbox IE11 Desktop like its Modern counterpart? Enhanced Protected Mode+64bit processes for EPM, disabling ActiveX and Flash also tighten up the browser dramatically

as well u could use a good TPL like Easylist to block even more malicious sites along with Smartscreen

warwagon said,
Sandboxie, Don't leave home without it!

IE is already sandboxed. Not sure if this exploit bypasses the sandbox. On win7, the sandbox allows read access, which may be enough for spying purpose without permanent infection. On win8/IEMetro the sandbox has been improved and blocks both read and write access. I don't think this exploit bypasses it.


A better advice would be to install Microsoft EMET, as it is exactly designed to prevent this kind of situation:

http://www.julien-manici.com/b...et-Explorer-Firefox-Chrome/


also, the security researchers have confirmed that this exploit doesn't work if EMET is installed.

As far as I know, there hasn't been any exploit in the wild ever managing to infect a computer running EMET so far!

I advise everyone to install it, even if you're using IE11, Firefox, or chrome.

http://www.microsoft.com/en-us...nload/details.aspx?id=41138

Edited by link8506, Feb 15 2014, 12:23am :

link8506 said,

A better advice would be to install Microsoft EMET, as it is exactly designed to prevent this kind of situation:

http://www.julien-manici.com/b...et-Explorer-Firefox-Chrome/


also, the security researchers have confirmed that this exploit doesn't work if EMET is installed.

As far as I know, there hasn't been any exploit in the wild ever managing to infect a computer running EMET so far!

I advise everyone to install it, even if you're using IE11, Firefox, or chrome.

http://www.microsoft.com/en-us...nload/details.aspx?id=41138

Pretty Neat. Thanks.

Ha good thing IE11 exists...
See to me, MS should stop catering to those who don't help themselves.
UPGRADE AND UPDATE your systems!
nothing MS did made them a target, by using out of date software they do it to themselves

AND so in reality its not a new exploit, its an old exploit.. for an older browser, fixed in IE11

dingl_ said,
Ha good thing IE11 exists...
See to me, MS should stop catering to those who don't help themselves.
UPGRADE AND UPDATE your systems!
nothing MS did made them a target, by using out of date software they do it to themselves

AND so in reality its not a new exploit, its an old exploit.. for an older browser, fixed in IE11

The US military hasn't even approved IE 11 for use on government computers yet. They are very slow to adopt new software. They just started upgrading to Windows 7 about two years ago if you can imagine that.

Does MS still support IE10? Yes they do and there plenty of companies that can't upgrade to the latest and greatest in a timely manner. A quick Google search shows that IE10 is supported until October 2015, so I guess it is MS's problem.

And just because there's one exploit that affects IE10, but not IE11 doesn't mean there aren't other exploits affecting IE11 that don't affect IE10.

MS also supports Windows XP.. Vista, 7 and 8.0, Bugs exist in every software/service.. Just because those are supported and fixed(eventually) does not excuse stupidity in upgrading and staying on top of s--t on your own end

Correct and someone using Windows Vista or 7 should expect the same level of service and security as someone using Windows 8. I fail to understand how an organization is stupid for not upgrading as long as they're running a supported piece of software. The chance for a bug/security hole to be in the newest piece of software is just as great or greater than in the older piece of software!

Stokkolm said,
Correct and someone using Windows Vista or 7 should expect the same level of service and security as someone using Windows 8. I fail to understand how an organization is stupid for not upgrading as long as they're running a supported piece of software. The chance for a bug/security hole to be in the newest piece of software is just as great or greater than in the older piece of software!

What? Windows 7 is not as secure as Windows 8, not even close.
And if you expect Windows 7 to be as secure as Windows 8, you mean Microsoft should basically backport Windows 8 in its entirity back to Windows 7.

You can't expect a version of windows that is already a couple of years old, to be as secure as a version of Windows that has been released months ago. That's just crazy.
You can't expect Microsoft to turn Vista and 7 into 8 either.

And XP is still supported, it should guarantee the same level of security?

The chance of a new piece of software having exploits is greater then old software? Hah.
Yeah I've seen so incredibly much security vulnerabilities for W8.1 its unreal. The OS gets hacked left and right the moment you connect to the internet.

Oh wait, that doesnt happen to 8.1, thats XP.

Slashdot.org covering this already trolls saying it is proof IE was just like it was at version 6. Sigh

IE still has a bad reputation whenever a news article comes about a hack or security.

Torolol said,
IE deserve such reputation.

Why?

Since the IE9 rewrite, Chrome and Firefox consistently have MORE vulnerabilities and are used MORE to exploit systems. (Chrome alone in 2012 had nearly 6x the vulnerabilities IE did.)

Just because they don't make it onto Google friendly news sties or even Neowin, doesn't mean they aren't happening.

For example:
Has Google even published a fix for the Chrome microphone exploit that was going around in Dec/Jan? It let websites listen and record users, even after leaving the website.

sinetheo said,
Slashdot.org covering this already trolls saying it is proof IE was just like it was at version 6. Sigh

IE still has a bad reputation whenever a news article comes about a hack or security.


Run IE10 Metro and this problem won't happen. Stop throwing tomatoes at MS for IE you fool.
It happens because the Desktop version, which is open left and right for YOU AS USER.
Want security, no other browser will be anywhere near as safe as IE.
Last couple of IE10 exploits only work on the 32bit desktop version.... Run it 64bit with its full arsenal of security features, and afaik not a single exploit has gotten outside the IE10/11 sandbox.

Just side info, when IE8 was released, the first IE with a 'sandbox'. It took 1,5 years before someone was able to exploit is in such it was able to break out of the sandbox. Let that sink in, 1,5 years of unexploitable IE. For IE9 it took ~8 months.
IE11/10 64bit Modern is still uncracked either

Does anyone else have any issues with IE11 on some sites? I don't, that I know of, but my brother and his wife both play the heck out of Yahoo games and a lot of those don't work with IE11!

cork1958 said,
Does anyone else have any issues with IE11 on some sites? I don't, that I know of, but my brother and his wife both play the heck out of Yahoo games and a lot of those don't work with IE11!

probably because of user agent sniffing.

try to add incompatible websites to the IE7 compatibility mode. (look in the settings menu)

Hmm?

Sounds logical, but also sounds WAY over either of those two's head!! 2 of the most computer illiterate people you'll ever know.

Thanks

Commenting is disabled on this article.