Microsoft has yesterday unexpectedly released a security advisory warning users about instances of active exploitation of a vulnerability found in all supported versions of Internet Explorer (6-11).
The remote code execution vulnerability “may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” and can be exploited by the attacker hosting a specially crafted website that is designed to do so and then convincing a user to view the website with IE.
Microsoft says that the targeted attacks that have been detected in the wild are currently attempting to exploit this vulnerability in IE 8 and 9, and that it remains vigilant and works with partners to detect and take action against malicious sites that attempt to exploit this flaw.
In order to protect their customers as much as possible until a definitive security update fixing the flaw is released, the company has made available a Fix it solution, and has also recommended to users to:
- Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones, and
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
The Fix it must be downloaded and run by the users themselves, and the other two actions might affect the usability of the system, but this last possibility can be mitigated by adding trusted sites to the Internet Explorer Trusted Sites zone to minimize disruption.
“In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability,” Microsoft warned in the advisory.
“In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.”
So, IE users, beware of unsolicited messages and suspicious links – now and forever – and implement the Fix it.