ARS Technica warns a new zero-day security vulnerability in Internet Explorer 9 and 10 is exploited in the wild to install malware on vulnerable computers. Security firm FireEye reports attackers compromised the website of vfw.org, the official website for the Veterans of Foreign Wars, and other sites to distribute the malware.
The FireEye researchers wrote:
The attackers, who appear to be the same ones behind at least two other recent zero-day attacks, were able to exploit the underlying "use after free" bug in a way that modified memory at a specified address. That allowed them to bypass address space layout randomization (ASLR), a technique for minimizing the damage exploits can have by randomizing the memory locations where objects are loaded. By preventing attackers from knowing where in memory their malicious code will reside, ASLR greatly reduces the chances an exploit will succeed. The attackers behind this most recent exploit were able to modify arbitrary memory addresses, allowing them to bypass the ASLR protection.
Microsoft is aware of the attacks and is investigating the issue. The software giant recommends customers to upgrade to Internet Explorer 11 to mitigate the issue.