Internet Explorer has had a pretty bad reputation over the years as a pretty awful browser, and from the IE6 through the IE9 days, that was a pretty accurate statement. However, nowadays Internet Explorer is fairly good and the only browser on Windows worth anything for touch. The guys and gals over at FireEye managed to discover this Zero Day Exploit and dubbed the entire operation, “Operation Clandestine Fox.” They claim that this zero day exploit targets IE9 through IE11 browsers, which make up about 26% of all browser users around the world which is pretty significant. Microsoft has also put out a security bulletin on the issue stating that users using IE6 through IE11 could be affected, which would broaden the scope of this issue by millions more users.
While Microsoft claims this issue is occurring in “limited attacks” the potential for this attack to grow is now exponentially greater now that the issue has been discovered but not yet fixed. We don’t know the details of how long FireEye waited to let Microsoft resolve this issue before they announced it, but I have a feeling they didn’t just post about it and expect Microsoft to deal with the repercussions. Microsoft is a much more serious company when it comes to security, which is what makes this IE zero day vulnerability all the more puzzling. The fact that such a zero day has managed to exist through potentially all versions of IE and only get caught now is also a bit suspicious (now that we live in the post-Snowden era where anything could be deliberate).
The vulnerability itself as described by the FireEye team is that the exploit leverages a previously unknown use-after-free vulnerability as well as a well-known flash exploit to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections. What this ultimately means for users is that if you’re using Internet Explorer right now, you should probably stop doing so and switch to Chrome or Firefox until this issue gets resolved. Personally, I use four different browsers simultaneously, but I don’t really recommend that to anyone, especially in this case. If you must absolutely use Internet Explorer, then you should disable Flash (or uninstall it) and use your browser with a proper anti-virus application, even though it would just be easier to use Chrome or Firefox in the meantime.