News

'Extremely Critical' IE Exploit in the Wild

Users running fully patched versions of Internet Explorer are vulnerable to a new exploit in the wild that has been used to load adware onto systems whose owners did nothing more than click on a malicious Web address, according to security researchers.

Secunia, a security firm, labels the problem "extremely critical." The company uses the designation for remotely exploitable vulnerabilities that can lead to system compromise, don't normally require interaction and have exploits in the wild.

Unlike most exploits, the IE flaw appear to be a so-called "zero-day exploit" -- in that the exploit appeared before an official Microsoft patch was issued for the underlying flaw. In most cases, exploits are developed after Microsoft or independent security researchers publicly expose the problem along with a simultaneous patch. In those cases, Windows users and malware authors are in a race -- users to patch their systems and malware authors to create an exploit based on the flaw before most systems are protected.

Microsoft, which released its monthly batch of security patches for June on Tuesday, did not have any warnings or information posted about the problem on its main security pages such as www.microsoft.com/security as of mid-afternoon Thursday. A Microsoft spokesperson said the company is reviewing the issue.

"Microsoft is actively investigating public reports of a malicious attack exploiting vulnerabilities in Internet Explorer and will continue to investigate to determine the appropriate course of action to protect our customers," the spokesperson said. "This might include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."

If Microsoft does release a fix before its next Patch Tuesday, which would fall on July 13, it would be only the second time it has issued an out-of-cycle patch since instituting its monthly patching cycle last year.

For customers who want to minimize risks, the spokesperson provided links to two older Microsoft documents that don't specifically reference the problem. One is a page of safe browsing tips at www.microsoft.com/security/incident/settings.asp. The other is for enterprise customers looking to minimize risk by increasing the security of the Local Machine Zone in IE: support.microsoft.com/default.aspx?scid=kb;en-us;833633.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.