Daily Archives: April 28, 2014

Microsoft Internet Explorer Use-After-Free Vulnerability Being Actively Exploited

In case you’re wondering what the hell does “use-after-free” means, it’s when a program is no longer using previously used computer memory which then can be used for malicious purposes. Thus, use-after-free.

So, a vulnerability exploiting this type of scenario has been uncovered for all versions of Internet Explorer, and is currently being exploited in the wild by hackers. There is no current patch or remedy for it, other than, as I’ve advised before, stopping the use of Internet Explorer altogether by installing an alternate web browser such as Mozilla Firefox, Google Chrome, Apple’s Safari, Opera, etc.

Interestingly, every now and then somebody will ask me if it’s possible to infect a computer simply be opening (displaying) the wrong email. This is one of the cases where, given the right circumstances and with a properly crafted email, the vulnerability could be exploited by just opening that email, especially if you’re using an older version of Microsoft Outlook (2003 or older).

Similarly, this can be exploited by luring a user into the wrong page of a website, and displaying it using Internet Explorer.

I’ll advise once a patch is available for this vulnerability.