New Internet Explorer zero-day bug already in use by hackers

While Microsoft plans to fix a number of security issues on Tuesday with new software updates, a security firm claims to have found a new zero-day bug in most versions of Internet Explorer that it says is already being used by hackers.

The FireEye security company reported on the IE bug over the weekend, which it claims affects versions 7, 8, 9, and 10 of the web browser that are used with Windows XP and 7. FireEye claims that there are two separate IE flaws that have been discovered; one of them gives any hackers access to PC memory while the other leaks system information.

FireEye says the attackers who found this zero-day bug in IE have already used it to embed malware code into "a strategically important website, known to draw visitors that are likely interested in national and international security policy," though the security firm did not state which website was infected. The malware that's delivered by the unnamed site only exists in PC memory, which FireEye says makes it "exceptionally accomplished and elusive."

So far, Microsoft has yet to comment on FireEye's report. This bug is different from another security exploit that was found last week to be used in the wild. Microsoft has come up with a solution for that problem but has yet to release a full security patch for the bug.

Source: FireEye via Ars Technica | Image via Microsoft

Report a problem with article
Previous Story

Sony to disallow resell or renting of PlayStation games after initially supporting it? [Update]

Next Story

Microsoft says Xbox One isn't getting new DRM policies

15 Comments

Commenting is disabled on this article.

Nothing anymore wrong with IE than any other browser.

Not even worth discussing which browser is more secure or buggier anymore.

The FireEye security company reported on the IE bug over the weekend, which it claims affects versions 7, 8, 9, and 10 of the web browser that are used with Windows XP and 7

while the flaw exists in IE10, currently the exploit in the wild only affects IE9 on windows 7, and IE8 on xp.

AFAIK, IE10 has never been targeted by a 0 day flaw in the wild yet.
this is due to the use of additional memory protections such as ForceASLR which breaks common ASLR bypass techniques.

anyway, one more reason to switch to windows 8, as it introduces more security memory protection features and a better sandbox than IE on win7.

And I heard a report that Microsoft is slowly abandoning Security Essentials.

It might behoove people to maybe get a stand alone anti-virus. Just about every anti virus now comes with malware and browser defense.

MS are not abandoning Security Essentials, It's just now integrated in to Win 8.x as Windows Defender. Which is different from the included Defender on Win 7. Win 8 also has Smart Screen Filter which is malware protection.

Edited by NoClipMode, Nov 11 2013, 4:07pm :

MSE is a free spin-off from MS System Center Endpoint Protection.
Unless they will be dropping that (highly unlikely) I don't see MSE or Windows Defender since Win8 going anywhere

It's a shame they didn't release the name of the affected site - I'd like to be able to warn my users to avoid it while it's being "cleaned".

Torolol said,
thats why you should rotates other browsers usages.

like a fortune whell that choses vulnerability of the day.. or should I say 0-day?