FireEye Research Labs identified a new Internet Explorer zero-day exploit used in targeted attacks Friday, causing the U.S. Department of Homeland Security to advise people not to use the browser.
According to a release yesterday on the Vulnerability Notes Database sponsored by the Department of Homeland Security, Microsoft Internet Explorer contains a use-after-free vulnerability, which can allow an unauthenticated attacker at a remote location to execute arbitrary code on a vulnerable system.
Internet Explorer versions 6 through 11 are affected. By convincing a user to view a specially crafted HTML document such as a web page or an HTML email message or attachment, an attacker may be able to execute arbitrary code.
Homeland Security states they are currently unaware of a practical solution to this problem, other than to cease use.
Although some media outlets are reporting that turning off Adobe Flash will keep users safe, Homeland Security advises this may not be the case.
“Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak,” Homeland Security says.
The department goes on to state that this is made possible with Internet Explorer because Flash runs within the same process space as the browser. Homeland Security then asks readers to note that exploitation without the use of Flash may be possible.