Microsoft reported a serious flaw in all IE browser versions that makes it vulnerable to hackers. The flaw allows hackers to gain access to any system via malicious websites. The flaw is reportedly present in all IE versions from 6 to 8.
However, the software giant said, there was no evidence of this flaw being exploited by hackers. The flaw was detected by Metasploit – an open source computer security project.
Vulnerability Explained
Microsoft’s Delineation
“In a few words,” wrote Microsoft Security Software Engineer Fermin J. Serna, “Internet Explorer loads mscorie.dll, a library that was not compiled with /DYNAMICBASE (thus not supporting ASLR [Address Space Layout Randomization] and being located always at the same base) when processing some HTML tags. Attackers use these predictable mappings to evade ASLR and bypass DEP [Data Execution Prevention] by using ROP (return oriented programming) gadgets from these DLLs [dynamic-link libraries] in order to allocate executable memory, copying their shellcode and jumping into it.”
What To Do?
Remark
Bugs are present in all browsers, and you are not safe just by switching browsers. Best practice is to update them to the most recent versions.
This post was last modified on March 18, 2015 11:20 pm