Daily Mirror - Print Edition

IE flaw may allow Windows PCs to be hijacked, Microsoft warns

31 Dec 2012 - {{hitsCtrl.values.hits}}      

Microsoft has confirmed that a zero-day vulnerability affecting older versions of Internet Explorer could allow attackers to gain control of Windows-based computers to host malicious Web sites.

Microsoft acknowledged the issue in a security advisory yesterday that included advice on how users can mitigate the threat posed by the flaw.

"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8," Microsoft said, noting that more recent versions of the Web browser, including IE 9 and IE 10, were unaffected.

The remote code execution vulnerability affects the way the browser accesses memory, allowing an attacker to use the corrupted PC to host a Web site designed to exploit the vulnerability with other users.

 The flaw has reportedly been used to exploit Windows PC users who visited the Web site for the Council on Foreign Relations, a nonpartisan think tank specializing in U.S. foreign policy and international affairs. The site has been hosting the malicious code since at least December 21, Darien Kindlund, senior staff scientist at security advisor FireEye, wrote in a blog Friday.

"We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability," Kindlund wrote.

CNET has contacted Microsoft for more information and will update this report when we learn more.

(Source : CNET)