News

'Extremely Critical' IE Exploit in the Wild

Users running fully patched versions of Internet Explorer are vulnerable to a new exploit in the wild that has been used to load adware onto systems whose owners did nothing more than click on a malicious Web address, according to security researchers.

Secunia, a security firm, labels the problem "extremely critical." The company uses the designation for remotely exploitable vulnerabilities that can lead to system compromise, don't normally require interaction and have exploits in the wild.

Unlike most exploits, the IE flaw appear to be a so-called "zero-day exploit" -- in that the exploit appeared before an official Microsoft patch was issued for the underlying flaw. In most cases, exploits are developed after Microsoft or independent security researchers publicly expose the problem along with a simultaneous patch. In those cases, Windows users and malware authors are in a race -- users to patch their systems and malware authors to create an exploit based on the flaw before most systems are protected.

Microsoft, which released its monthly batch of security patches for June on Tuesday, did not have any warnings or information posted about the problem on its main security pages such as www.microsoft.com/security as of mid-afternoon Thursday. A Microsoft spokesperson said the company is reviewing the issue.

"Microsoft is actively investigating public reports of a malicious attack exploiting vulnerabilities in Internet Explorer and will continue to investigate to determine the appropriate course of action to protect our customers," the spokesperson said. "This might include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."

If Microsoft does release a fix before its next Patch Tuesday, which would fall on July 13, it would be only the second time it has issued an out-of-cycle patch since instituting its monthly patching cycle last year.

For customers who want to minimize risks, the spokesperson provided links to two older Microsoft documents that don't specifically reference the problem. One is a page of safe browsing tips at www.microsoft.com/security/incident/settings.asp. The other is for enterprise customers looking to minimize risk by increasing the security of the Local Machine Zone in IE: support.microsoft.com/default.aspx?scid=kb;en-us;833633.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • FTC Expands Microsoft Antitrust Investigation Under Trump Administration

    The Federal Trade Commission (FTC) is pressing ahead with a broad investigation into Microsoft's business practices, an inquiry that began in the final weeks of the Biden administration.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft to Shut Down Skype Services

    Microsoft will discontinue its Skype telecommunications and video calling services on May 5, 2025, marking the end of the platform's decades-long run.

  • Big Blue To Acquire Datastax in Enterprise AI Play

    In a bid to bolster its enterprise-aimed AI capabilities, IBM is planning to acquire Datastax, a leading AI and data solutions provider, for an undisclosed amount.