You Can Download Adobe's Patch for the Internet Explorer Flaw Right Now (Updated)

You Can Download Adobe's Patch for the Internet Explorer Flaw Right Now (Updated)

Just a little over a day after Microsoft revealed a massive Internet Explorer vulnerability, Adobe is pushing out an emergency security update to patch the Flash-enabled flaw. In other words, if you're an IE user (and statistically 26 percent of you are), go download it right now.

While the flaw affected virtually all versions of IE, any attacks looking to take advantage of the vulnerability would have to get in through Adobe's Flash Player software. Krebs on Security explains:

That advisory credits Kaspersky Lab with reporting the vulnerability, and indeed Kaspersky published a blog post today detailing two new exploits that have been spotted in the wild attacking this vulnerability. Both exploits, according to Kaspersky, have been used in so-called "watering hole" espionage attacks, an increasingly common attack technique involving the compromise of legitimate websites specific to a geographic area which the attackers believe will be visited by end users who belong to the organization they wish to penetrate.

You can download the Adobe Flash update here. [Adobe via BuzzFeed,Krebs on Security]

Update 4/28 6:47pm: The Adobe update that came out today was actually released to resolve this issue, and is unrelated to the larger IE issue that appeared over the weekend.

18
Original post by Ashley Feinberg on Gizmodo

New Vulnerability Found in Every Single Version of Internet Explorer

New Vulnerability Found in Every Single Version of Internet Explorer

According to a confirmation by Microsoft late last night, a new zero day vulnerability has been found to affect every version of Internet Explorer. In other words—over a quarter of the entire browser market.

Attacks taking advantage of the vulnerability are largely targeting IE versions 9, 10, and 11 in something called a "use after free" attack. Essentially, the attack corrupts data as soon as memory has been released, most likely after users have been lured to phony websites. Microsoft explains:

The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Microsoft is currently investigating the issue and will likely release an out-of-cycle security patch to take care of the problem. Let's just hope it comes soon, because according to security firm Fire Eye, this means that about 26 percent of the entire browser market is at risk.

And since Windows XP users won't be getting the patch for this fairly threatening bug, anyone still running the now-unsupported software is going to have to cough up some big bucks to stay safe. Anyone like—oh, the IRS, for instance. [Microsoft via Cnet]

18 Reply