Windows 10: Internet Explorer zero-day lets hackers steal files from Windows PCs

Read more: Internet Explorer zero-day lets hackers steal files from Windows PCs | ZDNet

:)

 

Microsoft Internet Explorer renamed to Windows Internet Explorer ?




Since version 7 of the world`s most popular web browser - Microsoft Internet Explorer was silently renamed to Windows Internet Explorer.Such a step from Microsoft is not a surprise since Internet Explorer is part of the Windows operation system for a long time.Obviously Microsoft corp. wants to state that Internet Explorer is already considered as a part of Windows and not as an external browser (remember the IE and WMP law issues last year!?).

 

Internet Explorer zero-day alert

Read more: Internet Explorer zero-day alert: Attackers hitting unpatched bug in Microsoft browser | ZDNet

 

Internet Explorer hit by zero-day exploit, temporary fix issued



Microsoft is urging users of Internet Explorer to download a free security tool, enhanced Mitigation Experience Toolkit (EMET), as an interim measure against a previously unknown zero-day exploit in its web browser software that is under active malware attack by hackers.

Eric Romang, a researcher in Luxemburg, discovered it on Friday after finding his computer infected by the Poison Ivy Trojan, used by hackers to gain remote access to their victims' computers to steal data. According to Romang, further analysis revealed it got onto his computer via a flaw in Internet Explorer.

Poison Ivy exploits a “use-after-free vulnerability” in IE that enables a hacker to create an image URL referencing uninitialized memory. This corrupts the memory and once completely executed gives the attacker remote access with the same permissions as the current user

The vulnerability affects computers running all versions of Internet Explorer from IE6 to IE9, on every single OS release since Windows XP right through to Windows 7 and Server 2008. Interestingly though, Microsoft’s IE 10 running on Windows 8 and Server 2008 are not affected according to Microsoft’s Security Advisory.

“What may be most worrying is that Windows Vista and 7 don’t protect you,” said HD Moore, CSO of security firm Rapid 7, and the chief architect of the Metasploit tool kit, used widely by penetration testers and hackers. “This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS. The surprising thing about this is the fact they (Metasploit researchers) got [it] to work across every one of these platforms.”

The flaw could be sidestepped by upgrading from Oracle’s Java Standard Edition 6 to the newer Java Standard Edition 7 version, though this is not recommended as there is another critical flaw that Oracle hasn’t yet acknowledged or patched in Java 7 Update 7, which could allow an attacker to take control of the computer, according to Ars Technica.

The interim fix using EMET will likely prove complicated for many, especially businesses who may suffer adverse effects with existing software used on their networks. Because of this, security firms such as Symantec recommend computer users switch to an alternative browser like Chrome or Firefox, at least until Microsoft releases a permanent fix to plug the exploit.

http://www.techspot.com/news/50193-...by-zero-day-exploit-temporary-fix-issued.html