Skip to main content

Microsoft patching zero-day exploit on IE11

Microsoft has confirmed a new zero-day exploit on Internet Explorer 11 for Windows 8.1 and Windows 7 allowing attackers to steal critical information through an XSS exploit.

Attackers are capable of sending an update or security message through IE11, filled with malicious code. Once inside, the attacker can steal information from any sites previously viewed, including cookie information like usernames, passwords and IP addresses.

The attack was first shown by David Leo, a researcher with security consultancy firm Deusen. Microsoft claims no user has been hit with this attack, since the user would need to be sent to a malicious website first, something SmartScreen should block.

This could be a prominent tool for attackers if left unpatched, considering the attack works whether the site has secure socket layers (SSL) encryption or not, however Microsoft should have it fixed in a few days.

Microsoft has been hit with a number of day-zero vulnerabilities in the past few months, including Google's own security team pointing out a Windows flaw two days before an expected patch.

Hopefully, the reassurances from other security firms is enough to make sure Microsoft does more Q&A before releasing updates, to avoid even more day-zero vulnerabilities.

Plenty of security firms are warning about the incoming dangers from financially driven hackers, who instead of chaos desire payment through ransom or theft.

These hackers could be a major problem for unsecure services in 2015, following a 50 per cent increase in online attacks last year.

David has been a technology journalist for over six years, covering a wide range of sectors. He currently researches apps, app sectors and app markets for Business of Apps, and has written for ITProPortal, RTInsights, ReadWrite, and Digital Trends.