Zero-day Microsoft IE exploit could grant unrestricted OS access

Reports have surfaced shedding light on a zero-day Microsoft Internet Explorer vulnerability that, once exploited, could grant an attacker unrestricted access to the target’s operating system.

ENKI researchers believe that the flaw, known as CVE-2021-26411, correlates to a vulnerability that was publicly disclosed back in February.

The remote execution flaw is already being exploited in the wild, warned Kevin Breen, cyber threat research director at Immersive Labs.

It reportedly features elements of social engineering, as the attacker needs to be able to trick the victim into visiting a fraudulent website in order to be successful.

This can be accomplished with the help of a malvertising or spear phishing campaign.

If successful, the attacker attains user-level access to the system but no administrative privileges, given that the victim is using a user-level account.

In other words, they will be able to access the victim’s personal files, but access to the core of the operating system itself will remain limited.

However, if the user is logged in as an administrator, then the attacker will get administrator-level access privileges.

Of course, this means full, unrestricted access to do anything as they please.

As Breen noted, this example illustrates the cyber security risks of browsing the web with the privileges that come with using an admin account.

Jay Goodman, product marketing manager at Automox, added that the following browsers are affected by the memory corruption vulnerability:

  • Microsoft Edge
  • Internet Explorer 9
  • Internet Explorer 11

Any user who visits a malicious website designed to exploit the vulnerability could allow the attackers in.

Goodman stressed the importance of letting IT teams act swiftly to patch the vulnerability in question.

After all, latent vulnerabilities left unpatched are one of the leading contributors to attackers being able to gain unauthorised system access.