Microsoft Patches 0-Day IE Flaws
Page 1 of 1
Microsoft rushed out a full patch for five separate vulnerabilities affecting its Internet Explorer browser, one of which was publicly disclosed while four were privately reported to Microsoft.
"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," Microsoft stated in its security bulletin on the issue. "An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user."
The flaws affected multiple versions of IE including IE 6, 7, 8 and 9. IE 10, which is currently only available for Windows 8, is not affected by the flaws.
"Today we released a security update to address the Internet Explorer issue impacting a small number of customers," said Yunsun Wee, director, Trustworthy Computing Group. "While attacks have been limited, for increased protection customers should apply the update as soon as possible if they do not have automatic updates enabled."
All five of the flaws deal with use-after-free condition errors including OnMove, Event Listener, Layout Use, cloneNode and execCommand functions. In a use-after-free flaw, memory space that had been allocated for legitimate use is abused by an attacker after the legitimate use has been exhausted and freed up.