Recently in this month’s “Patch Tuesday”, Microsoft addressed a number (24) of security holes and bugs in Internet Explorer. However, they seemed to have missed one that is affecting Internet Explorer (IE) 10 which attackers are currently exploiting all over.
The attack takes advantage of a “Use-After-Free” memory corruption flaw in Internet Explorer 10, which enables them to abuse the memory space from allocated program space. They do this via a “watering-hole attack” which attacks users when they visit legitimate websites, one of which being the U.S. Veterans of Foreign War (by infecting the legitimate website).
It is considered a zero-day bug, referred to as “CVE-2014-0322” and Microsoft has responded explaining that they are aware of this and are actively working on a patch. Until the patch is made available via the next round of updates, users can be pro-active themselves by upgrading to the newer IE 11, as the attack only targets IE 10.