Skip to main content

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer

Microsoft has issued a security advisory for Internet Explorer due to a "zero-day" limited, targeted attack vulnerability it's found "in the wild". Versions of IE include Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. "Zero day" means it came without warning and "in the wild" means it's already being exploited. There's no mention of Windows Phone having the issues, but if you use Windows in general, it's something to be aware of, but not something to panic about. Here's why...

The exploit is a remote code execution. That means someone needs to trick you into going to a malicious website in order for it to work. What's more, according to Microsoft (opens in new tab)'s security note:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

So, normal, prudent browsing practices should keep you safe. Don't run as administrator, don't click on links to websites you don't know and trust, and if you're at all concerned, default to Firefox or Chrome until Microsoft issues a security fix.

These types of exploits happen. Perfect code is almost impossible these days. From "goto fail" to "Heartbleed" exploits are going to keep getting found. The important thing is how the companies involved handle disclosing and fixing them, and how we keep ourselves safe in the meantime.

If anyone has any other security recommendations, add them to the comments!

Source: Microsoft (opens in new tab)

Rene Ritchie has been covering the personal technology industry for almost a decade. Editorial Director at Mobile Nations, analyst at iMore, video and podcast host, you can follow him @reneritchie on Snapchat, Instagram, or Twitter.

  • Lots of typos here....
  • No one comes here to check for typos. We come here to look for news & help. Get lost.
  • I was just making a point. It's unusual to see that many typos in one of these articles....
  • No need to be rude.
  • Don't be rude.
  • +928
  • Don't be evil.
  • And typos are part of modern day technology. Live with it.
  • That's barbaric!
  • It's not good journalism. Writing involves copyediting. Only posts written in a hurry should have typos.
  • Posts about a warning to users on a blog are written in a hurry, and that's how it should be, since they want as many people to be aware of the problem as fast as possible. On a post like that if you want to see if it's been edited properly you need to come back the next day and see if the errors are still there. If the errors are still there tomorrow then there really is a problem...
  • I agree with this, but there is no need to attack someone for pointing it out. You weren't in the wrong though.
  • Typos are typos and their supposed to be corrected. Unless your someone who lieks to see language deteriorate. Who would of taught proper spelling and grammer isn't needed in the digital age anymore. ;)
  • *you're
  • You didn't get the joke. And that's the only one you spotted? SMH
  • I got the joke. But that had to be said. I have found many typos :D
  • Lol. Heil grammatik!
  • I'm German. 9th grade. For 9th grade it is ok :b
  • Haha nice one.
  • *grammar
  • *they're
  • *would've *thought *like :)
  • Are you kidding me. Typos' are not part of "modern day technology". As a matter of fact spell checking is a part of "modern day technology." All authors on this site should be writing their articles in Word before publishing. It would take care of all the issues with spelling and sentence structure. It would also make the site look more professional and lend it some more credibility.
  • Exactly. **Spell Check**
  • Fixed! Zero day them!
  • Yeah, a lot of the articles have grammar issues. Since I'm addicted to WPCentral, I've just learned to ignore them and read it the way it's supposed to sound in my head.
  • This.
  • It's not rude or barbaric, a professional article should be error free. I'm sure the editors agree.
  • Thank god IE is too slow to consider using.
  • What is this? 2009?
  • nope , it's quite fast . You are probably talking about i.e. 8 , you should consider updating to i.e .11
  • IE 11 is faster than chrome & Firefox for me.
  • IE11 (and 10for that matter) is super fast for me using windows 8. I've actually uninstalled firefox about a year ago BC of this.
  • Faster than any other browser out there at the moment for me. Made me ditch Firefox and Chrome
  • Really? Either upgrade your system, unsinstall your 20 toolbars, or quit living in the past.
  • I'm using 11 clean out the box and it is sluggish as anything. Brand new Win 8 laptop. This is desktop mode, not modern UI. Chrome still knocks spots off it and looks better.
  • What box did you take it out of? because I have zero issues with ie. It works fine one my windows phone, it works great on my surface, and it works perfectly on my PC. On a side note, because i do some web development i do have firefox just for testing, now that's a sluggish browser, i really hate using FF.
  • You have ZERO issues? Try this. Open web outlook for any institution. Try and change your signature for emails. IE11 can't even open Microsoft services, Chrome can. I love IE11 but this is criminal.
  • Our organization uses MS Exchange Server and we get to check our mails using OWA and guess what, it works best in IE. Infact if you use other browsers, you dont get the full functionality. It could be that your Exchange OWA is not updated to support IE11. We had this problem till sometime ago when older IE versions would open OWA with full functionality but IE11 wont. An update on the server side fixed this and I actually use Outlook 2013 only for tasks like Team Emails, advanced scheduling functions etc. Most of my emailing is now happening with OWA running in IE11.
  • I use Windows 8.1 and IE is definitely the fastest browser out. And comparing the 'look' of browsers... Seriously, theres like 1/10 of your screen for the browser and all of them 'look' almost identical... I don't get it.
  • Mine is also slow and crashes few times so I use opera on my Windows 8 machine
  • Dialog boxes, tabs, notification windows.. just don't look right. I want to like it but in desktop mode it just doesn't cut the mustard. Even starting up takes a good 30 seconds. Maybe I should reinstall it? It came pre loaded on a new Acer V5.
  • Any PC you buy from a vendor, first thing you do is charge it, then wipe it. Gets rid of all the crap software vendors install. With Windows 8/8.1 you could try doing a full system restore, but I'm not sure if that would get rid of everything. To do this, go to the PC settings app>Update and Recovery>Recovery and click on "Remove Everything and Reinstall Windows". Will clean all the junk right out, or it should anyway.Will most likely give your new hardware a nice speed boost too.
  • Cheers I'll give it a whizz.
  • Sounds like out of the box bloated it up. Try a fresh install. Its easy these days. It shouldn't run slugging at all on a new machine. My four year old 300$ laptop runs it fine. So something is up with the system/install.
  • Yes. I used to use Chrome, but Opera is so much faster than IE, FF or Chrome. At least for me it is.
  • Internet Explorer 11 sluggish on desktop mode? Not here on any of my Windows 8 devices. Chrome and Firefox on the other hand are bloated and sluggish.
  • What about blurry fonts? Forgot to mention that. Twitter is especially bad.
  • Then your box is loaded up with other software interfering with the normal operation of IE, and probably Windows itself.
  • But you can't browse the internet without toolbars.
  • Only the desktop version. Metro IE 11 kicks ass.
  • Exactly. Metro is good. Not everyone lives in the modern UI though.
  • since IE 9 came out I haven't looked back, now am at IE 11 and am as happy as the day IE 9 came out, if there was IE for Android i would be using that too.
  • I have been using IE since windows 7. And now I'm currently on windows 8.1.1 and it work very very good, fast and so on
  • I was going to say almost the same thing: thank God then that nobody uses it! I don't know about speed. I think all browsers are fast on my connection. But the sheet crappiness of it!
  • So this is issue just for pc right? Not windows phone?
  • I was wondering the same thing...
  • The word "phone" doesn't appear in the warning so my guess is that it's Windows (not Phone) only, at least as currently disclosed.
  • Yeah me too
  • It is definitely PC only.
  • Since the rendering engine is the same, it is also affected. But since Windows phone doesn't have all the components of Windows, it isn't affected.
  • Will Malwarebytes Anti-Exploit help prevent this?
  • Good thing I use Google Chrome!! Love ad block and is speed but I set the default search to Bing! Also chrome sync.
  • be careful of  chrome extensions then , they are full of malware
  • I only use ad block and Google Bing rewards hack that earns rewards for me.
  • Live long and prosper, You made me laugh today.
  • Chrome is spyware itself but these kind of attacks also exist within Chrome. Just Bing it up ;) I wouldn't trust extensions; who knows what kind of data they're submitting or doing to your set-up. By the way, the same AdBlock is now available for IE too :D, although personally, I prefer to use TPL within IE. Also, TPL allows you to subscribe to the blocking list created by the AdBlock team.
  • Chrome is the most logic choise, indeed. Instead of running a chance to be hacked with Internet Explorer, Firefox or Safari, with Chrome, you have 100% guarantie that you are being spied on by the browser itself, no worries for hacks anymore, the browser is a hack. Also, it saves passwords very easy, hand to access all of your secret passwords by anyone just with 3 clicks through the settings. Best. Browser. Ever.   /s
  • Lol, probably the best comment i've read in a long time, cheers
  • So much fallacy though >< -- Bam --
  • Default to chrome? Default to google? No thanks, Firefox will do :)
  • Ever tried Opera??? I like it alot
  • It's google chrome ever since they got rid.of presto.
  • At some point was my default browser, but it always felt incomplete for some reason for me, i prefer the non-profit model from mozilla for my alternative choice of IE
  • wrong!!!.....opera uses chromium engine so does google chrome is just chromium browser with google bloatware on it....
  • I love Opera. I always have going back to Windows Mobile 5. I'm not saying it's perfect, but it really is good. Its worthy of more praise/attention than it gets.
  • Couldn't agree more - Chrome is malware / spyware itself.
  • I don't know for how long you had been on the internet to believe such a thing.
  • since 1997
  • The only difference is, you are officially spied by the corporation! As their ongoing efforts of harvesting user data, Google profiles all your activities and sell it to the highest bidders: Ads agencies or Government agencies. Corporations can't make billions each quarter doing clean ads business, and especially when all the products are free of cost. There is something seriously wrong with the equation. Think about it!
  • What company profits from selling information to the government :|
  • Your beloved: Google.
  • That'd had been weird if it was something real and not only what Microsoft wants their fanboys to believe.
  • No fanboy conversation here, not from my part at least. For sure microsoft is not the best company in the world, microsoft love us etc etc. All of these companies have one final simple goal, its called profit. Now the fact that google seems more untrustworthy in the eyes of let's say a lot of people it has to do with their acts and policies. I just wish they were more ethical for final users cause they are indeed an innovative company with great portfolio. And you know what it's their arrogance as well, (If people doesnt want us to read their gmails they should't sent them in the first place). So in short it's not that we woke up a day and said lets hate google, they did something wrong to create that feeling towards them.
  • Well its not what Microsoft led me to believe, its the general perception and unethical approach of making profit on you without your consent! For instance, I registered an online exam and got a confirmation email in my Gmail inbox. After sometime I was start getting ads about the same exam organization everywhere (Gmail, YouTube, websites with ads). Did I sign for this? Certainly not. Chrome collects rather more information than the Gmail.
  • I get your point but imagine if they never used these information all the ads would be like the ones you see on piratesbay where it's porn and only porn in your face.
  • Well it seems that once again the coin has to sides, what are we willing to sacrifice for our convenience. Not all people have the same priorities and concers about their privacy, hence we make our choices according to what we beleive is best for us
  • Alright we reached somewhere in the conversation.
  • Or one can use Chromium portable or build from source if one is interested in the rendering engine without the Google bloatware / privacy issues. But even that is not as efficient as IE11, I must say.
  • I like Opera just as much as IE 11
  • Everyone must have a decent firewall and antivirus is a must. Better safe then sorry :P.
  • Running TrendMicro Internet Security. Haven't seen any issues in a long long time using their software/services. Hopefully this one doesn't make it through.
  • I imagine that links you get on social networks are also a hazard..?
  • Sure, social networks especially can be "infected" with malicious links.
  • Seems fast [user disconnected]
  • I've got a security tip that's been working for me for ages: Use your brains.
  • Burn anything with IE in an oven, that will keep u safe
  • Anyone knows a way to make the favorites bar on i.e. 11 black or other dark colour?! That light grey bar is fugly!
  • When will the fix be out? Patch Tuesday?
  • Even though IE 11 is great for touch and is fast, I hate it as much as I did lots of years ago. The are barely any extensions and that is plainly stupid in 2014. I hope they'll let us install different browsers (different engines) on WP sometime this year, or at the next big update. Chrome all day!
  • How is extension-less browsing stupid? Besides, Internet Explorer was the first browser to introduce extensions, the extension system has been there for years. Also, Chrome and Firefox are the only major browser that do support extensions as you want it, they are a minority. Not to mention that their mobile counterparts lack support for most of them too.
  • I'm now defaulting to chrome but I really like IE alot but the browsers UI isn't as good as chrome for me. Maybe if I got the fav-bar and adblock working I would use IE11 more (I know/heard they are avaible but only alot of shitty malware sites popped up)
  • What do you mean? Just go to the official AdBlock website and there you go. For the favorite bar, what's wrong with right mouse click > Show favorite bar?
  • Ok will follow. Thanks ya Rene !
  • And then they want to change how people see internet explorer, this security problems always involve IE, it's impossible not to troll it
  • Maybe because Microsoft wants to be clear with their customers and admits it while others just hide things? I find it a bit unlikely though that  these things only happens to IE and apple's safari. Both of these giant companies care about their reputation so they try to be as clear as possible. I don't really know, just saying
  • Not a lot of people use IE anyways to make a difference if they stop using it when there is a problem. And most other browser creators tend to be faster at fixing their errors. So... Security threats are not that big of an issue? I babble, but it is a possibility Although. This is probably serious if Microsoft did in fact go out and tell people that IE is facing a threat.
    -- Bam --
  • Why do people keep spreading that bit of misinformation? There are still plenty of people who use IE. Contrary to popular belief the average person doesn't install the latest browser unless they see it advertised enough and they sure as heck don't use extensions with maybe an ad-block being the exception.
  • You do realize that over 25% of internet users use IE, right?
  • As oppose to the other browsers? (Over 25% is not over 50%) Where is the scale heavier? I'm not saying no one uses it. I am saying it holds the minority.
    -- Bam --
  • So you are saying that because the scale is not weighed in favor of IE because there aren't as many people using it (though it's in the number 2 position) all the people who enjoy using it should just jump to another browser because there are more people using the other one? No offense but all browsers have security vulnerabilities, it is the nature of the beast, just some are more open about it than others. Very few, IE included, do nothing about browser-breaking bugs. I'd rather know when something comes up than to be left in the dark just so a company can maintain the appearance of being impervious to bugs/exploits.
  • That was a complete strawman... Never said that. You just don't like what I said "IE isn't as big as the rest." Not too hard to understand, is it?
    Any who, my implication was that it is easier to let, say, 1 million users know that there is a problem..vs letting 50 million users know that there is a problem. (Just to be clear before another illogical fallacy comes up, I am not saying IE has 1 million users only.) You lose less when 1 million take a break from your product. If you rely on 50 million to use your product, you lose less from fixing the problem and never announcing it to EVERYONE. Now before I hear more nonsensical distortions, this isn't an argument on opinion. This isnt even an argument. It is open minded possibility.
    -- Bam --
  • Whatever you say. I'll not debate you on this because you are allowed your own opinions. If it pleases you to believe I disagree with you solely because you said "not many people use IE" then by all means do so. If it also pleases you to believe your earlier statement would be interpreted by a normal person in any other way than what I concluded it said then more power to you. I'll not get into a silly argument over browser market share or the like as it's pedantic.
  • You don't know how other people think. You cannot decide how people will interpret anything. Just curiosity though, can you read my statements again and make sure you didn't misunderstand what I said?
    And to be fair.. Again, whenever someone says something that others don't like.. They will be challenged. And that's really why the latter misunderstands a point.
    -- Bam --
  • Yes, you did say that. When you claim this stuff show facts, not just some random numbers you pull out of your ass.
  • Are we done here? -- Bam --
  • Note the disclaimer at the bottom of the page:
    Statistics Can Be Misleading
    You cannot - as a web developer - rely ONLY on statistics. Statistics can be misleading.
    Note: W3Schools is a website for people with an interest for web technologies. These people are more interested in using alternative browsers than the average user. The average user tends to use the browser that comes preinstalled with their computer, and do not seek out other browser alternatives.
    Tip: Global averages may not be relevant to your web site. Different sites attract different audiences. Some web sites attract professional developers using professional hardware, while other sites attract hobbyists using old computers.
    Anyway, our data, collected from W3Schools' log-files over many years, clearly shows the long term trends.
    So yes, we are done here. :-)
  • that just says that results may vary depending in website/community. Does that make them wrong? But Okay, I understand that and put it here knowingly of what it said.
    So we agree to disagree?
    Friends? :D
    -- Bam --
  • Sure, why not? :-)
  • F*ck, and now, all news are about IE and how dangerous is to use it. All my hard work at reinvindicating IE to people has just been useless at all.
  • They had an episode about the "Zero-Days" a few weeks back in NCIS LA. Looks like I'll might go back to Safari ... Better safe than sorry.
    Thanks for the heads up René & as always, good to see you here :)
  • I have to ask, does anyone else get weird lockups with IE occasionally? Happens to me ask the time after a Bing search leads me to for an article. Sometimes YouTube (especially today) but definitely Huffingtonpost. At work on IE 9 and at home on IE 11(DESKTOP)
  • Well, looks like I will be getting UC Browser again
  • I don't know about you guys, but I'm eagerly awaiting IE12.
  • I have internet explorer 14
  • NSA has been busted again.
  • In addition to what the article says, if you're on Windows 7 x64 or Windows 8, enable "Enhanced Protected Mode" (which blocks this exploit) and if possible, also enable "64-bit processes for Enhanced Protected Mode".  Or, stay in Metro IE, which since it always has EPM on, is just safer in general.
  • The enhanced security feature in windows server makes browsing a pain. I just disable it.
  • Love IE since IE 9. It's just as fast as chrome. Just deactivate any toolbars and add ons.
    To check the impact of add ons, try the IE with no add ons
  • "Don't run as administrator, don't click on links to websites you don't know and trust, and if you're at all concerned, default to Firefox or Chrome until Microsoft issues a security fix." True that! That's why I only used IE as the tool to download other browsers whenever I install Windows, and nothing else.
  • So would this affect IE running in Metro? I'm curious to know the actual answer.  Because, from what I understand, Metro IE is quite a bit safer as it is much more restrictied and locked down.  
  • Microsoft SCROOOGLING me?
  • Why not move to enhanced security even now...if server 2008 can use it what stops us?
  • I used to like IE6 just like XP and from the time IE7 came I avoided using IE and started using Firefox and it used to be good but recently its been very slow and also makes my system slow. I never liked Chrome cause it eats up more memory. I did not try IE11 after 8.1 update but on my Lumia it works like a charm. Sometimes these vulnerabilities are caused by Adobe flash player and Oracle java plugins.
  • Had beans for lunch today and personally I prefer brand 'x' over brand 'y' and so feel everybody should think like me. Just sharing ;)
  • Wow a good news for me...can I try hack some one