A few days after the discovery of security vulnerabilities affecting Internet Explorer, already exploited by hackers, Microsoft announced that its browser would receive the appropriate patches this week, as part of its traditional patch tuesday.

Fireeye, a firm specializing in computer security, has launched on November 8, an alert on new vulnerabilities discovered in the Internet Explorer browser. These have not been discovered through theoretical research, but because a U.S. site storefront broadcast, probably unwittingly, a malicious code to exploit together so that these vulnerabilities were not yet been identified, which earned them the label of "0 day".

According to FireEye, the attack leverages two vulnerabilities allowing each to access the system memory and read the information. Combined, they pave the way for loading in memory, a piece of unauthorized software, without a disk access (or a file download), which makes it more difficult to detect. The different versions of Internet Explorer from 7 to 10 are concerned, mainly in their English versions, although the authors of the discovery believe that nothing prevents to apply this issue to other languages.

Internet Explorer 10

In a second note, researchers at FireEye indicate that these vulnerabilities have been used to disseminate a new variant of a Trojan horse already well known (Trojan.APT.9002, also referred to as Hydraq or McRat). They suspect that this transaction conducted via the infection of "strategically important site, known to attract visitors supposedly interested in national and international security policies" could have supported technical infrastructure that we already found the trace in connection with the attacks detected and nicknamed DeputyDog campaign during September.

Monday, Microsoft acknowledged this discovery, stating that it was on an ActiveX control, and announced that a security bulletin (MS13-090 reference) will be released Tuesday evening to put an end to these faults.