New IE Zero-Day Being Exploited In the Wild

wiredmikey writes "A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named 'exploit.html' is the entry point of the attack ... According to analysis by VUPEN, the exploit takes advantage of a 'use-after-free vulnerability' that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems."

I/E 9 at risk

[minstrelmike]

I'm shocked. Shocked I tell you.

Re:I/E 9 at risk

[localman57]

Also, I think they should modify all future browsers to use extra caution when opening a file called "exploit.html" . In retrospect, it seems so obvious...

Day Zero

[puddingebola]

Been saing for years that if we'd just get rid of day zero on the calendar that so many security concerns could be solved, but instead we get yet another vulnerability. How did this happen on day 260?

Internet Explorer is still a thing?

[Trogre]

Isn't IE that tool people use to download Firefox?