Skip to content ↓ | Skip to navigation ↓

Update 4/28 10:25AM : U.S. Homeland Security is advising computer users use an alternative browser other than Internet Explorer, until a patch is released.


A new zero day exploit targeting Internet Explorer is active and in the wild being used by attackers. The exploit targets a vulnerability in Internet Explorer and there is currently no available patch for the exploit. The vulnerability affects versions 6-11, however the active exploit is targeting 9-11.

The group using the exploit is actively targeting US-based firms tied to the defense and financial sectors.With the exploit an attacker can gain the same privileges on the vulnerable system as the current user. The group using the exploit are known to be proficient at lateral movement and difficult to detect, as they typically do not reuse command and control infrastructure.

Microsoft has issued a security advisory:

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

FireEye’s Research Labs identified the exploit being used in targeted attack they are referring to as “Operation Clandestine Fox”:

The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.

Although there is no patch FireEye offers some insight into how to block the exploit:

Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests. Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10.Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.