Microsoft issued an out-of-band security patch for Internet Explorer versions 7 through 11, which contains a critical security flaw that allows attackers to infect users when they visit certain websites, with no action required from those users (this is also called drive-by downloads).
The zero-day flaw is being actively exploited in the wild right now, which is likely why Microsoft pushed an update for it as soon as it was possible. The company credits Google researcher, Clement Lecigne, for finding the zero-day vulnerability.
In the past, Microsoft wasn't too happy about Google giving it only 90 days to push a patch for one of its security vulnerabilities that was found by researchers part of Project Zero, but the company seems to have responded much more rapidly with a fix this time.
According to Qualys CTO, Wolfgang Kandek, there are multiple mechanisms that attackers can use to deploy malware through this vulnerability, including:
- Hosting the exploit on ad networks, which are then used by entirely legitimate websites;
- Gaining control over legitimate websites, say blogs, by exploiting vulnerabilities in the blogging server software or simply weak credentials;
- Setting up specific websites for the attack and manipulating search engine results;
- Send you a link to the site by e-mail or other messaging programs.
After the users are infected, the malware gains the same privilege as the user, showing once again how important it is to stay off Administrator accounts. With the Admin privileges, the attackers can gain full control over the machine and can install even more malware on it, if necessary for their purposes.
Because Microsoft has just disclosed the bug, there's still time for attackers to integrate this vulnerability into their exploitation tools by the time most people update their Windows machines. That's why it's critical that all users update their PCs immediately -- or just use a browser other than Internet Explorer.
Microsoft's new Edge browser in Windows 10 is unaffected by the bug, proving how necessary it was for Microsoft to break-apart from the Internet Explorer legacy and start fresh with a new code-base that's cleaner and more secure.
Enterprises are likely not going to upgrade their users' PCs very soon, but if they use Microsoft's EMET tool, which protects against memory corruption bugs such as this one, they should be safe even when using Internet Explorer. However, this should only be used as a temporary solution, because EMET zero-day flaws may also exist in the wild that could make a bypass easier.