According to a confirmation by Microsoft, a new zero day vulnerability has been found to affect every version of Internet Explorer. In other words, over a quarter of the entire browser market. Attacks taking advantage of the vulnerability are largely targeting IE versions 9, 10, and 11 in something called a “use after free” attack. Essentially, the attack corrupts data as soon as memory has been released, most likely after users have been lured to phony websites.
A new zero day vulnerability that resides in all versions of Internet Explorer has been spotted in the wild, Microsoft confirmed late Saturday. The vulnerability, which could allow remote code execution, is being used in “limited, targeted attacks,” according to an advisory issued by Microsoft. While all versions of the web browser, IE 6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm FireEye, which first reported the flaw Friday. The attack leverages a previously unknown “use after free” vulnerability — data corruption that occurs after memory has been released — and bypasses both Windows DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) protections, according to FireEye.