Actively Exploited IE7-IE11 Flaw Allows Drive-By Malware Downloads

Microsoft issued an out-of-band security patch for Internet Explorer versions 7 through 11, which contains a critical security flaw that allows attackers to infect users when they visit certain websites, with no action required from those users (this is also called drive-by downloads).

The zero-day flaw is being actively exploited in the wild right now, which is likely why Microsoft pushed an update for it as soon as it was possible. The company credits Google researcher, Clement Lecigne, for finding the zero-day vulnerability.

In the past, Microsoft wasn't too happy about Google giving it only 90 days to push a patch for one of its security vulnerabilities that was found by researchers part of Project Zero, but the company seems to have responded much more rapidly with a fix this time.

According to Qualys CTO, Wolfgang Kandek, there are multiple mechanisms that attackers can use to deploy malware through this vulnerability, including:

  • Hosting the exploit on ad networks, which are then used by entirely legitimate websites;
  • Gaining control over legitimate websites, say blogs, by exploiting vulnerabilities in the blogging server software or simply weak credentials;
  • Setting up specific websites for the attack and manipulating search engine results;
  • Send you a link to the site by e-mail or other messaging programs.

After the users are infected, the malware gains the same privilege as the user, showing once again how important it is to stay off Administrator accounts. With the Admin privileges, the attackers can gain full control over the machine and can install even more malware on it, if necessary for their purposes.

Because Microsoft has just disclosed the bug, there's still time for attackers to integrate this vulnerability into their exploitation tools by the time most people update their Windows machines. That's why it's critical that all users update their PCs immediately -- or just use a browser other than Internet Explorer.

Microsoft's new Edge browser in Windows 10 is unaffected by the bug, proving how necessary it was for Microsoft to break-apart from the Internet Explorer legacy and start fresh with a new code-base that's cleaner and more secure.

Enterprises are likely not going to upgrade their users' PCs very soon, but if they use Microsoft's EMET tool, which protects against memory corruption bugs such as this one, they should be safe even when using Internet Explorer. However, this should only be used as a temporary solution, because EMET zero-day flaws may also exist in the wild that could make a bypass easier.

Follow us @tomshardware, on Facebook and on Google+.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • nukemaster
    This can not be.

    I thought only flash was the only Vulnerability and killing it off would put an edit to all the problems on the internet.

    Every hole they plug will lead hackers to find 2 more.

    All software has holes, it is just a matter of finding them.

    At least it is being taken care of fast.

    Ad blockers are more important than ever.
  • shiitaki
    My solutions? Pretty damned obvious. I did not know that adds were free to post, and anyone could use the service anonymously! Oh wait! I'm pretty certain that is NOT the case. Google and Yahoo have both been serving up malware adds. The team Zero day is doing a great job of finding problems, the sales team on the other hand is quite literally destroying their business model. As the other poster mentions, a good ad blocker may be the most important security measure. Google and Yahoo are literally blowing holes in their own business model. What is the solution? Google and Yahoo can start cancelling the accounts of companies posting Malware. They can start inspecting adds like they inspect everyone's emails!

    Seriously! This is ridiculously obvious that the add companies are responsible for the content they host. Apparently it is completely legal to hack peoples computers, and write as well as distribute malware. Because all you have to do is follow the money, you morons! Get off your ass and save your business! If you need helping connecting the dots, those guys in the Zero day department seem to be competent.

    Now if you'll excuse me, I have to go find a good adblocker, and do my part in putting a crimp in Google, Yahoo, and all of the other add companies face rolling on this.
  • willgart
    what??? Google is responsible for this exploit??? because this is going through ADs... so its Google fault. no ads no problem.
    and why they create ads which are more than a single image?
    I still dont understand these scripts everywhere while a simple image do the job.

    Send the image to Google, so no redirect to any 3rd party site, first point and a validation can be applied by Google before accepting the ADs...