We are currently unaware of a practical solution to this problem – U.S. Homeland Security
Both the U.S. Department of Homeland Security, and the UK analog are warning users around the world not to use Internet Explorer. The pointed warning to not use IE (any version of Internet Explorer) follows the discovery of “active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer,” and comes from both US CERT (Homeland Security’s Computer Emergency Readiness Team), and the UK’s CERT.
“This vulnerability affects IE versions 6 through 11,” says U.S. CERT of the Internet Explorer issue.
It is so unusual for a Federal or national agency to issue such a direct warning about a specific browser, that it is hoped that all will sit up and take heed.
While Microsoft says “Microsoft is aware of limited, targeted attacks” on Internet Explorer, and recommends certain workarounds, Homeland Security is more direct: “We are currently unaware of a practical solution to this problem,” says U.S. Cert, adding that they suggest that users “consider employing an alternative Web browser until an official update is available.”
Microsoft does acknowledge that it is “a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Ok,I am pretty disturbed by this Microsoft failure on so many levels, I had to pay them to” fix” my Lenovo N585 because I somehow became infected with a new Trojan horse/ downloader virus from the IE 11 activeX updates and I found the virus 3 days prior to Microsoft posting it on their website. I had to really dig further to get any help with removing it, because the Windows 8 and Windows 8.1 preloaded systems don’t have required fix it tools and attempting to modify the OS yourself is a big OEM assault that will negate any of Microsoft’s liability for support of any kind. I have done everything that is recommended by all their many user forums to make sure I protected my System from this sort of problem. I really feel as if with the extent of this vulnerability extending back to IE 6 is a great repeated flaw that needed to be top of the Windows/Microsoft programming list of required Operating systems fix’s. The fact that starting with XP Microsoft made sure to stop third parties not licensed by them to do any required fixes to the registry made your Microsoft product warranty and service support invalid. Requiring a user with errors related to issues from third party software either preinstalled or not to pay for Microsoft support, upgades,diagnostic products or replacing the OS with a updated license and product key. I don’t know about you but this is not the way to control the piracy of a product by screwing legitimate constumer’s. Then overlooking fundamental quality of your products in order to increase the profit. Now even with the fascinating and useful program features Microsoft has been able to create by focusing on innovation instead of improvements makes a lot more profit for all the other Companies offering simular features which attracts new users and unhappy prior customers. I myself was trying to wait as a loyal customer since pre Windows DOS days. Seems while Microsoft grew it is no longer deserving of my respect or loyalty I reserve for businesses that balance their consumer profits by the standards their products quality and reputation.
“exploitation of use-after-free” means there is a bug in IE explorer, of the following nature:
1 – A particular piece of storage is allocated to contain some useful data of some sort.
2 – That particular piece of storage is subsequently deallocated, putting it on a free list, available for other uses. However, the bug is that the program remembers a pointer to this piece of storage, under the mistaken assumption that this pointer is still useful.
3 – The program uses the saved pointer to do something to the having-been-deallocated piece of storage (which in all likelihood has pretty much the same contents as when it was deallocated, which means the program is likely to appear to continue to work).
The problem occurs when some miscreant figures this out, and writes a malware program of some sort which does the following: between steps (2) and (3) above, the malware allocates a piece of storage of exactly the same size, making it quite likely the newly allocated piece of storage is the same piece that was deallocated in step (2) above, and then immediately writes over the data in the allocated piece of memory with data which will do something naughty (or worse) when step (3) above comes along to read the (newly written, malicious) data, and then unknowingly performs whatever bogosity the miscreant intended, such as providing complete control of the entire machine to the miscreant, or sending password files and such over the internet.
I don’t use it.But if I’m to warn family and friends, I’d like to be able to tell them just what this means. Could you elaborate for those of us that aren’t so savvy bout things like this, please?
What in simple, practical, terms is – “active exploitation of use-after-free”
ie what could happen???