Microsoft reported a serious flaw in all IE browser versions that makes it vulnerable to hackers. The flaw allows hackers to gain access to any system via malicious websites. The flaw is reportedly present in all IE versions from 6 to 8.
However, the software giant said, there was no evidence of this flaw being exploited by hackers. The flaw was detected by Metasploit – an open source computer security project.
Vulnerability Explained
- IE’s security can be bypassed by hackers using basic tags present in any sites.
- After bypassing, a hacker could plant any software (eg: keyloggers) in computer’s memory.
- Data collected by the software (eg: passwords) can be combined with browser cookie or session data and returned back to the hacker.
Microsoft’s Delineation
“In a few words,” wrote Microsoft Security Software Engineer Fermin J. Serna, “Internet Explorer loads mscorie.dll, a library that was not compiled with /DYNAMICBASE (thus not supporting ASLR [Address Space Layout Randomization] and being located always at the same base) when processing some HTML tags. Attackers use these predictable mappings to evade ASLR and bypass DEP [Data Execution Prevention] by using ROP (return oriented programming) gadgets from these DLLs [dynamic-link libraries] in order to allocate executable memory, copying their shellcode and jumping into it.”
What To Do?
- Download Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) (A toolkit for deploying and configuring security mitigation technologies)
- After installation, open IE & EMET, verify that iexplorer.exe has a green check next to it in the EMET control panel.
Remark
Bugs are present in all browsers, and you are not safe just by switching browsers. Best practice is to update them to the most recent versions.