0-Day for IE as May Patch Tues Nears
Page 1 of 1
Microsoft issued an advisory late Friday, warning of a critical flaw in IE 8 that could lead to a remote code execution attack. The flaw only impacts IE 8, according to Microsoft and does not affect IE 6, 7, 9 or 10.
"In the latest watering hole attack against Department of Labor (DoL), our research indicates a new IE zero-day is used in this watering hole attack, although some other vendors claim they are using known vulnerabilities," Fireeye researcher Yichong Lin wrote in a blog post last week.
As it turns out, Lin and Fireeye were right. Microsoft credited the security firm with helping to alert them to the flaw.
"The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft warns in its advisory. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."