Maksim Kabakou - Fotolia
Microsoft released an urgent patch to secure a zero-day exploit found in all versions of Internet Explorer. The vulnerability, named CVE-2015-2502, could potentially allow a wrongdoer to gain admin privileges through a malicious website.
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” Microsoft said in its security advisory. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability.”
Windows 10’s Edge browser, which replaces the IE family, is not affected by the flaw.
Apple often gets to sit back and laugh at Microsoft when vulnerabilities are discovered, but as its OSX gains popularity, hackers are readjusting their sights; and this week, Apple got some pie in its face.
The bug was discovered by a hacker who describes himself on Twitter as an 18 year-old Italian called Luca Todesco. The developer made the vertical privilege escalation security flaw public and has received criticism from the development community for not giving Apple the chance to patch the vulnerability.
In response the critics Todesco said: “This is kinda getting out of proportion. Best outcome for me would have simply been to stay quiet. I had reasons to drop it the other day.”
The tpwn exploit, which exists in all versions of publicly released OS X, requires physical access to a system in order to implement an attack, but could potentially be exploited if a user were install malicious software. Todesco recommends that users install SUIDGuard, available as an installer on Github, to protect themselves from the exploit.
In typical Apple fashion, the OS-maker has declined to comment.
Yet another bug has been found in Google’s Android operating system, affecting all versions dating back to 2.3, released five years ago.
The flaw utilises the mediaserver component, and is similar to the Stagefright bug, allowing malicious applications to execute arbitrary code, says Trend Micro.
“This attack can be fully controlled, which means a malicious app can decide when to start the attack and also when to stop,” Trend said in an advisory.
“An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. Devices with customized versions of Android but with no modification made to the mediaserver component are also affected.”
Google has released a patch for the bug, but due to the disparate Android ecosystem, it could take weeks or even months to reach devices.