Microsoft is rushing to patch a newly discovered flaw in its Internet Explorer web browser, that has left millions of users potentially at risk.
Microsoft has acknowledged that the ‘zero day’ RCE (remote code execution) vulnerability has been spotted “in the wild”, with hackers able to take over a computer, install malicious software, and create user accounts.
The bug was discovered by FireEye Research Labs and affects Internet Explorer versions from version 6.0 through to the current version 11.
The exploitation of this flaw appears to be part of a larger ongoing campaign, which FireEye have named ‘Operation Caldestine Fox’, against US-based defence and finance sectors.
The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.