The critical security exploit (CVE-2013-3893) which affects all Internet Explorer versions and allows a hacker to run arbitrary code by anyone visiting an infected website is still not properly fixed by Microsoft. Now, the exploit has been included in a Metasploit module, making it easily accessible by hackers with massive large scale attacks on Internet Explorer expected.
On September 17, 2013, Microsoft confirmed that all Internet Explorer versions were vulnerable to a new security exploit denoted as CVE-2013-3893. This exploit was considered to be critical and allowed hackers to infect a computer and run arbitrary code requiring nothing but the user to visit an infected website. At present, the exploit is only implemented for Internet Explorer 8 and 9, but the vulnerability exists for all Internet Explorer versions starting from IE 6.
As of today, no proper security patch has been pushed out by Microsoft and the situation appears to be escalating since an attack module has been released for the popular security audit tool known as Metasploit. While in itself, nothing new has been discovered, the readily available attack module all of the sudden make the exploit very much more accessible by a hacker, even if they possess no programming knowledge whatsoever. In essence, this enables "script kiddies" to execute the exploit significantly increasing the risk of using Internet Explorer.
Those who are concerned about security are advised to avoid Internet Explorer altogether and if one must use Internet Explorer, there exist a temporary Fixit fix by Microsoft that may protect the users, although it is only a provisional patch and not a security fix.
Considering that web browsers are one of the most dangerous and common hacker attack vectors, it is surprising that Microsoft still after more than 2 weeks have no proper security patch available.
No comments:
Post a Comment