by CIO Staff

Microsoft IE Hit With New Zero Day Attack

Sep 19, 20061 min
IT Strategy

Microsoft Internet Explorer 11 / IE11 / Microsoft Edge / browser search bar / laptop user
Credit: Suwaree Tangbovornpichet / Getty Images

Despite the efforts of Microsoft and independent security researchers at hunting down Internet Explorer security flaws, a previously unknown IE bug has appeared in the wild and is being used actively to hijack Windows systems, researchers said on Monday.

The flaw is in IE’s vector markup language (VML), according to security firm Sunbelt Software, which has spotted an exploit popping up on several Russian-hosted porn websites.

“Our security research team has observed a new zero day exploit being used to infect systems,” said Eric Sites, Sunbelt’s vice president of R&D, on a company blog.

The vulnerability affects Windows and IE 6 with all patches applied, Sites said.

“The exploit uses a bug in VML in Internet Explorer to overflow a buffer and inject shellcode,” he wrote. “It is currently on and off again at a number of sites.”

The exploit in circulation installs spyware and attempts to hijack systems to be used in botnets, according to researchers. Sites said research is ongoing, and that Microsoft had been informed of the issue.

Users can mitigate the problem by turning off JavaScript, according to Sites.

-Matthew Broersma, (London)