FireEye Labs today discovered a new zero-day vulnerability in Internet Explorer 9 and Internet Explorer 10 being exploited on a website based in the US. No user interaction is required: just visiting a compromised website is enough to trigger a classic drive-by download attack, download and install a payload from a remote server. We contacted Microsoft and the company confirmed with us that it is investigating.
“Microsoft is aware of limited targeted attacks against Internet Explorer 10,” a Microsoft spokesperson told TNW. “Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected. We will take the necessary steps to protect customers; meanwhile, we recommend customers upgrade to Internet Explorer 11 for added protection.”
A zero-day vulnerability refers to a security flaw that was previously unknown and is being currently exploited in the wild. This one happens to target IE9 and IE10 users, meaning it’s not so severe because not all IE version are affected and users can upgrade to the latest release, IE11. We will update you as we learn more.
Update: The flaw affects IE9 as well as IE10 (previously it was believed only the latter was affected. Furthermore, the US site in question is Veterans of Foreign Wars; you can read more about FireEye’s investigation of the attack here.
Image Credit: Robert Linder