Just after little more than two weeks since it warned internet users of a web security bug called Heartbleed Bug, the US government has issued another advisory and this time it is related to a vulnerability found in Microsoft’s web browser Internet Explorer.
America’s Department of Homeland Security, which had advised American citizens and business establishments about the deadly Hearbleed Bug, has now issued a statement advising people to use alternative of Microsoft’s Internet Explorer.
In the new advisory, the department has asked internet users who are using any version of the Internet Explorer from 6 to 11 to switch use other web browsers.
“The United States Computer Emergence Readiness Team (US-CERT) is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system. US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available,” the statement says.
A vulnerability was found in five versions of the Internet Explorer that could allow remote code execution.
Microsoft also issued and advisor as soon as it got to know about the vulnerability, and promised a quick fix for the problem.
What can happen to your system:
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
How you can be targeted:
An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.