This week, Palo Alto Networks researcher, Bo Qu, was credited with discovering 3 distinct critical vulnerabilities in Microsoft Internet Explorer. These vulnerabilities (CVE-2013-3915, CVE-2013-3916, CVE-2013-3917) were documented earlier this week in Microsoft Security Bulletin MS13-088. These vulnerabilities all enabled an attacker to place specially crafted content on a website that could cause a memory corruption and give a remote attacker the same rights as the target user including code execution capabilities. These types of vulnerabilities are particular valuable to advanced attackers interested in infecting users in drive-by-download and watering-hole attacks. The attacker simply lures the user into clicking on an infected link, and the attacker can gain control of the browser and user privileges.
Of particular interest, these vulnerabilities impacted versions of Internet Explorer from IE6 all the way up to IE11, which was just recently released in October (IE11 has been touted by Microsoft as making the web 40% more secure). The fact that these vulnerabilities are present up to the latest version of IE means that not only are the critical, but the scope of affected user is also particularly large.
These vulnerabilities were disclosed to Microsoft as part of Palo Alto Networks participation in the MAPP program, which ensures the timely, responsible disclosure of new vulnerabilities as well as allowing security vendors to create protections for new vulnerabilities to ensure that customers are protected as soon as the vulnerabilities are announced publicly.