Last week, Mozilla patched a similar zero-day that was being exploited to attack Firefox users. Mozilla credited Qihoo for discovering and reporting the Firefox zero-day.
In a now-deleted tweet, the Chinese cyber-security firm said the attackers were also exploiting an Internet Explorer zero-day. This appears to be the zero-day that Qihoo researchers mentioned at the time.
No information has been shared about the attacker or the nature of the attacks. Qihoo did not return a request for comment seeking information about the attacks.
At the technical level, Microsoft described this IE zero-day as a remote code execution RCE flaw caused by a memory corruption bug in IE's scripting engine -- the browser component that handles JavaScript code.
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
Microsoft patched two similar IE zero-days in September and November Users on older Windows releases are the ones primarily at risk.
Microsoft January Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed. Linux Mint is reverting Firefox to Mozilla config after partnership signed. Firefox 96 update focuses on noise improvements, main thread efficiency. In use these IT skill bundles to upgrade your career. Automate tasks and work smarter with this Microsoft Windows PowerShell bundle. September 24, By Nils Macharis. Categories: News , Vulnerability. Run the Windows Defender Audit Report. This field is for validation purposes and should be left unchanged.
Share on facebook. Share on twitter. Share on linkedin. Share on reddit. Share on email. You may also like Try Lansweeper for Free. Learn why Lansweeper is used by thousands of enterprises worldwide. Download Lansweeper. Key Features. About Contact Careers - We're Hiring! News Brand Assets.
0コメント