Skip to main content

Internet Explorer has a zero-day bug that Microsoft needs to fix

Internet Explorer is pre-installed on every Windows PC, even though it’s been superseded by Microsoft’s new Edge browser in terms of long-term support. The reason is simple: Many organizations use the archaic browser for legacy applications, and so Microsoft has had to keep it around but isn’t spending a great deal of time on improving it. Unfortunately, according to one security firm, Internet Explorer has a serious flaw that’s leaving it open to malware attacks.

ZDNet reports on the zero-day bug, which is coming from Chinese antivirus software company Qihoo 360 Core. The company’s security research team claim that the bug uses a Microsoft Office document that has a vulnerability installed that opens a web page that downloads a piece of malware. According to the researchers, the malware exploits a user account control (UAC) bypass attack, and it also utilizes file steganography, which is the technology of embedding a message, image, or file within another message, image, or file.

Qihoo 360 also reported on the bug via Twitter:

We uncovered an IE 0day vulnerability has been embedded in malicious MS Office document, targeting limited users by a known APT actor.Details reported to MSRC @msftsecresponse

— 360 Threat Intelligence Center (@360CoreSec) April 20, 2018

Microsoft responded to ZDNet’s request for comment with the following rather generic statement:

“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.”

The following image shows a basic flowchart of how the bug is executed on an affected system. Beyond this, there is not a great deal of information on the flaw and little else to go on in determining just how infected systems are impacted. Until Microsoft fixes the bug, of course, it will remain an issue for Windows users.

Qihoo 360

Apparently, the attack is being conducted globally by an “advanced persistent threat (APT) group.” That implies a group of hackers with some capabilities that can conduct such a sophisticated attack. Unfortunately, there is not much users can do at this point except follow the usual security advice: Keep your systems and software updated, make sure you’re using sufficient malware protection, and don’t open any files unless you’re absolutely certain that it’s from a trusted source and that it was sent on purpose.

Mark Coppock
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
Microsoft Edge gets hit with the same serious security bug that plagued Chrome
The Microsoft Edge browser is open on a Surface Book 2 in tablet mode.

Microsoft just released an Edge browser update that patches a dangerous flaw that could allow a cleverly designed attack to execute arbitrary code. While every security update should be installed promptly, this one is a bit more urgent because the attack is "in the wild" already, meaning that hackers are already taking advantage of this vulnerability to breach security.

Designated CVE-2022-2294, this vulnerability was actually a flaw with the Chromium project, the open-source code that Google's Chrome browser is built upon. Microsoft uses the same base code for the Edge browser, meaning bugs that affect one often plague the other. Google patched the same bug recently and has been keeping quiet about details of the attack to allow others to make similar fixes, since Chromium is quite a popular codebase.

Read more
Internet Explorer’s slow death has finally come to an end
An Internet Explorer desktop icon.

Today, Microsoft is concluding the retirement and end-of-life support for its Internet Explorer browser.

This will finalize a months-long transition from Internet Explorer to Microsoft Edge. Edge has been the brand's primary browser since early 2020, which now comes as the default browser on new Windows devices.

Read more
Why nearly 50% of Windows 10 users still cling to Internet Explorer
Laptop running Internet Explorer.

In an unexpected development, it seems that many users just can't let Internet Explorer go. Although the browser is retiring, new research shows that up to 47% of Windows 10 devices still use Explorer as their browser.

Seeing as Microsoft has announced its retirement in 2020, users have been given plenty of time to move on to a different browser -- so why is it that so many still choose to stick with Explorer?

Read more