Internet Explorer Vulnerability Poses Threat Of Remote Code Execution
Written by Kay Ewbank   
Monday, 28 April 2014

A flaw in all current versions of Internet Explorer, due to legacy ActiveX support,  that is currently being targeted has the potential for an attacker to take control of your computer. 

The vulnerability affects Internet Explorer 6, 7, 8, 9, 10 and 11, and concerns the way Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.

 

modernie

 

Microsoft has issued a security advisory that explains that the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. Specifically an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Although Microsoft is working on one, there’s no software update at the moment. Meanwhile it suggests that users set Internet and Local intranet security zone settings in Internet Explorer to "High" to block ActiveX Controls and Active Scripting in these zones. The company points out that in all cases an attacker would have to convince users to visit a website designed to take advantage of the vulnerability.

ActiveX is a technology that is only supported by IE because it is a Microsoft only invention. It is away of allowing COM components to be embedded in the browser. Despite ActiveX being superseded by .NET and more general Web standards a surprising number of web sites and even hardware like web cams still make use of ActiveX components making IE the only browser that will work with them. Hence the discovery of a bug in the way IE handles object deallocation will be a big problem for some users.

Much more of a problem is the fact that the need to continue to support ActiveX in new version of IE means that the entire family is vulnerable to the problem - and the code is unlikely to have been updated since the days of IE 6.

While a patch will be released for current versions of Windows, anyone using Windows XP will not get an update due to support for XP having ended on April 8.

Browsers other than IE such as Chrome or Firefox aren’t vulnerable to the attack,simply because they don't support ActiveX,  so would represent a safe alternative, not only for XP diehards but also for any Windows user - unless of course you need ActiveX support. 

Banner


Progress On JavaScript SIMD
31/10/2014

While most of the hot news in fast computation centers around the GPU, there are untapped possibilities in most CPUs. JavaScript is currently getting a new set of commands that give it hardware-assist [ ... ]



HTML5 Is A Finished W3C Standard
29/10/2014

If you are a web developer you will probably want to remember where you were on the day (October 28th, 2014) that HTML 5 became a standard. But my best guess is that you will just yawn and get on with [ ... ]


More News

 

blog comments powered by Disqus

 

Last Updated ( Monday, 28 April 2014 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.