Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote malicious users to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
microsoft internet explorer 11 |
||
microsoft internet explorer 6 |
||
microsoft internet explorer 7 |
||
microsoft internet explorer 8 |
||
microsoft internet explorer 9 |
||
microsoft internet explorer 10 |
Backdoors targeting government victims
Security experts have uncovered attacks exploiting a zero day vulnerability in Japan’s most popular word processing software, bearing all the hallmarks of a Chinese group blamed for last year's New York Times hack. Ichitaro developer, JustSystems, announced a remote code execution vulnerability in multiple versions of the software last week. Symantec has claimed, in a blog post, that it had already detected attacks in the wild attempting to exploit this vulnerability, which could lead to the e...
A decade on, Microsoft pushes out 8 bulletins – half of 'em critical bug squishes
Microsoft delivered no fewer than eight bulletins to mark the tenth anniversary of Patch Tuesday, including a fix covering two zero-day vulnerabilities in Internet Explorer. A critical patch for all supported versions of IE covers a well-anticipated fix for the CVE-2013-3893 vulnerability, which has been associated with cyber espionage-style attacks against targets in Japan, Taiwan and elsewhere in Asia since late August. Microsoft also released a bonus extra fix for another in-the-wild browser ...
Microsoft’s 2013 Treehouse of Horror Bulletins include a long list of fixes for memory corruption vulnerabilities effecting mostly previous versions of the software, and not the latest versions. Of immediate interest to most Windows users are the critical vulnerabilities being patched in Internet Explorer, multiple Windows drivers, and the .Net Framework which even effects the latest versions of Windows 8 and Windows Server 2012. Systems administrators at organizations also may pay immediate a...
What a way to celebrate a DECADE of Patch Tuesday rollouts
Microsoft is preparing to close a wide-open security hole in Internet Explorer - a vulnerability state-backed spies are exploiting to mine organisations across Asia. A update to fix the flaw is among four critical patches Redmond has lined up for the October edition of Patch Tuesday, due next week. Versions 6 through to 11 of the web browser are known to be vulnerable. The use-after-free bug in Internet Explorer [CVE-2013-3893] allows attackers to execute arbitrary code on a victim's computer; a...
In September Microsoft published information about a new Internet Explorer vulnerability – CVE-2013-3893. The vulnerability affects IE versions 6 through 11 for platforms from Windows XP through Windows 8.1. Later in September, the company released a patch closing the vulnerability. Cybercriminals are happy to exploit such vulnerabilities because they are easy to monetize – the Internet Explorer remains popular. This type of vulnerability is very dangerous because it allows the execution...
Oh, sysadmins. It's so much worse than we feared – report
An as-yet-unpatched zero-day vulnerability affecting Internet Explorer is being abused much more widely than analysts had previously suspected. The vulnerability first came to public attention last week with the Operation DeputyDog attacks against targets in Japan, as first reported by net security firm FireEye. Websense, FireEye and AlienVault have since reported more malware-flinging campaigns exploiting this vulnerability. Several groups are using an exploit that takes advantage of security b...
Bit9 attackers aim malware at Japanese 'entities'
Security researchers have spotted two new targeted attack campaigns aimed at organisations in Japan, China and elsewhere in Asia, one of which exploits a zero day exploit in Internet Explorer revealed only last week. Operation DeputyDog is targeted at “entities in Japan”, using the IE vulnerability CVE-2013-3893 which Microsoft released an emergency patch for last Tuesday, according to security firm FireEye. The payload for the attack, first detected by FireEye at the end of August, was host...
Remote code execution vuln
Stepping outside its normal Patch Tuesday cycle, Microsoft has rolled out an emergency fix to an Internet Explorer bug that was under active malware attack. This advisory provides access to “Fix it For Me”, with a more detailed outline of the CVE-2013-3893 vulnerability here. All versions of IE 6 to 10 are affected. As Microsoft writes, the vulnerability “exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vuln...