The Cert.in, Indian Computer Emergency Response Team has today released a advisory warning users of a high risk vulnerability that exists in all Internet Explorer Browsers from version 6 to 11 running on all Windows OS. Cert.in has said that most of the vulnerabilities it has put up are high risk ones and users should get their respective products patched as soon as possible
The vulnerabilities listed by Cert.in are as follows :
Component Affected : Internet Explorer 6,7,8,9 & 11
Systems Affected :
Windows XP SP 3
Windows XP Professional x64 Edition SP 2
Windows Server 2003 SP 2
Windows Server 2012 R2
Windows Server 2003 x64 Edition SP 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2008 for 32-bit and x64-based Systems SP 2
Windows Server 2008 for Itanium-based Systems SP 2
Windows Server 2008 R2 for x64-based Systems SP 1
Windows Server 2008 R2 for Itanium-based Systems SP 1
Windows 7 for 32-bit and x64-based Systems SP 1
Windows Vista x64 Edition SP 2
Windows Vista SP 2
Windows 8.1 for 32-bit and x64-based Systems
Windows RT 8.1
Component Affected
CERT-In Vulnerability Note CIVN-2014-0066 / Microsoft TechNet classification MS14-018 – Critical and High Risk
This vulnerability affects almost all Internet Explorer versions from IE 6 to IE 11 in almost all Microsoft operating systems. The vulnerability is caused due to improper handling of objects in the memory. A remote attacker could exploit these vulnerabilities by hosting a specially crafted website, and then convincing a user to view the website via an affected version of Internet Explorer. Once the user opens the affected website, attacker can successfully exploit this vulnerabilities to trigger a memory corruption resulting in execution of arbitrary code on the compromised system. It can then be used to send spam, for phishing, for data theft, for Denial of Service attacks.
The mitigation for this vulnerability is given below :
- Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
You can also visit the Microsoft support page here for more information about this vulnerability