Microsoft has confirmed FireEye’s report that revealed an unpatched vulnerability in Internet Explorer 9 and 10. The combined user-share of IE 9 and IE 10 is about 32%, and while people using Windows 7 and higher can upgrade to IE 11, the latest version of IE, Windows Vista users can’t enjoy such luxuries.
FireEye, a global network security firm, reported the vulnerability just two days after Microsoft issued a patch for every version of IE which fixed around 2 dozen flaws. The attack code, was described as “classic drive-by download attack”, something which is categorized under the most dangerous browser-based attacks.
This exploit reportedly circumvents one of Windows’ most critical anti-exploitation technologies ASLR (address space layout randomization) using Flash ActionScript which is used by many websites that run content using Flash player.
Microsoft is aware of the issue but hasn’t announced if they have found a solution, and whether they will provide the update before the next Patch Tuesday, which is scheduled for March 11. “Microsoft is aware of limited, targeted attacks against Internet Explorer 10. Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected," a Microsoft spokesperson told ComputerWorld.
Security firm Websense said that it has evidence that this exploit attack has been going on for at least the last three weeks. It also believes that this attack was targeting visitors at the French Aerospace Association's website.
It is alarming news for Windows Vista users, which according to the data from Net Applications, constitute about 3.6% of all desktop users, since now they can’t upgrade to IE 11, and are tied to IE 9 by default.