IE bug allows Windows PCs to be hijacked

Software giant Microsoft has found a zero-day vulnerability in ancient versions of Internet Explorer.

According to Vole, the problem exists in browsers from IE 6 through IE 8 but not later versions.

The attack means that hackers can gain control of Windows-based computers so that they host malicious Web sites.

In the company’s security bog, a spokesVole said that the remote code execution vulnerability affects the way the browser accesses memory, allowing an attacker to use the corrupted PC to host a Web site designed to exploit the vulnerability with other users.

What happens is that the attacker hosts a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit it.

It all depends on users visiting these websites, but that is not normally a problem. Normally they just spam them and encourage them to open a link in an email.

The flaw has reportedly been used to exploit Windows PC users who visited the Web site for the Council on Foreign Relations. According to Darien Kindlund, senior staff scientist at security advisor FireEye  said that site has been hosting the malicious code since at least December 21.

Apparently the code uses Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability.

You can read what Microsoft has to day about the vulnerability here