Microsoft closes leak in IE that is already being abused may not be until February 11

Spread the love

A vulnerability has been discovered in Internet Explorer that could allow criminals to execute code remotely under certain circumstances. Microsoft is working on a patch but it could be weeks before it comes out. The leak is already being exploited in practice.

The security problem resides in the way Internet Explorer’s scripting engine handles objects in memory: it can be exploited to cause memory corruption and run code on affected systems with the same privileges as a user. Attackers can do this, among other things, by luring users to a specially crafted website. Details about the bug, labeled CVE-2020-0674, have not yet been disclosed.

Microsoft reports that it is aware of a “limited number of targeted attacks”. The company publishes steps on its site to mitigate the risk of abuse. Microsoft is also working on a patch, but as far as release is concerned, it refers to its default policy to release security updates on the second Tuesday of the month. That would mean that the fix won’t be released until February 11. The leak is in Internet Explorer 9, 10 and 11 in various Windows versions, including Windows 7, 8.1 and 10. The American Homeland Security saw the disclosure of the leak as reason to publish a warning. The US-CERT advises users to use Microsoft Edge or an alternative browser.

You might also like