Microsoft has released an emergency fix for a vulnerability in all versions of Internet Explorer – warning that targeted attacks are already attempting to exploit it. Malicious websites could use the vulnerability to remotely run code on victim’s machines, Microsoft warned.
Microsoft described the targeted attacks against IE 8 and IE 9 as “extremely limited” so far, according to NBC News. The company admitted that other versions of the browser were vulnerable, but only IE 8 and IE 9 have been targeted so far. Cybercriminals are willing to pay large amounts of money to access such “zero day” vulnerabilities, often picking specific targets to attack while the vulnerability is still “fresh” and unknown, according to Jim Finkle of Reuters.
In a blog post, Dustin Childs of Microsoft’s Security Response Center said that the risks for users lay in attackers compromising trusted websites – or convincing them to click links in emails or instant messages.
“This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type,” Childs wrote. “This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message.”
Child’s post also offers advice on how to mitigate the threat for users continuing to browse via Internet Explorer.
Microsoft has released a “Fix It” as a temporary solution, which can be downloaded from Microsoft’s site. Microsoft said that it will provide a more permanent solution either through its regular security update schedule, or through an “out of cycle” update.
“We are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability,” Microsoft says.
“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
Author Rob Waugh, We Live Security