Apr 29, 2014 | Security, Web
A New Internet Explorer Security Flaw Leaves One-Quarter Of Web Browsers Vulnerable
By: Charlie Warzel – Great Writer with Buzzfeed Staff
More bad news for online security, especially if you use Internet Explorer to browse the web.
Last night, Microsoft announced that all versions of Internet Explorer have been affected by a “zero day” security flaw (a “zero day” flaw is a vulnerability that gives victims zero days of warning before attack). According to the security company FireEye, the flaw leaves 26.25% of the browser market vulnerable to attack. This, of course, comes just weeks after the OpenSSL flaw Heartbleed left over two-thirds of the internet vulnerable to potential attacks.
Here’s how the web browser market share breaks down for Internet Explorer as of 2013, according to NetMarket Share:
Plainly speaking, the flaw allows attackers to corrupt and steal data after users are lured to fake websites, meaning anyone using Internet Explorer should be extra vigilant clicking suspicious links that might come through email or other spam sites.
Here’s a description of the flaw according to Microsoft’s Tech Security Center:
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
So far, Microsoft says it’s only seen “limited, targeted attacks” as a result of the vulnerability, with most of the attacks coming through IE versions 9 and 11. The company hasn’t released a patch for the flaw yet, but we will continue to update when one becomes available.
Correction: A previous version of this story cited an Adobe security patch as a fix for the Internet Explorer flaw. That patch was unrelated to the specific Internet Explorer error. So far, no patch has been issued. .
