Microsoft released today a security update for Internet Explorer 10, Internet Explorer 11, and Microsoft Edge that updates the bundled Adobe Flash libraries. This patch is only available for users of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10 and resolves vulnerabilities that could allow an attacker to remotely execute code on an attacked machine. It is strongly advised that all users immediately install this update so that Internet Explorer is no longer vulnerable.
It is important to note that even if you do not use Internet Explorer, other applications that utilize it would still be vulnerable. For example, Microsoft Office 2007 and 2010 both utilize Internet Explorer and would be vulnerable if this update is not installed.
In the Microsoft security advisory they explain how attackers could use this vulnerability:
In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
In a web-based attack scenario where the user is using Internet Explorer in the Windows 8-style UI, an attacker would first need to compromise a website already listed in the Compatibility View (CV) list. An attacker could then host a website that contains specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
Get updating!
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now