Microsoft has confirmed a zero-day vulnerability affecting all supported versions of Internet Explorer, including IE8, IE7 and IE6.The Redmond company explains that the security flaw involves the creation of uninitialized memory during a CSS function within the browser.
“It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution,” the software giant informed.
Given the fact that successful exploits against this vulnerability can allow for remote code execution, and attacker could potentially take over a victim’s computer.
However, Dave Forstrom, Director, Trustworthy Computing, Microsoft denied that this has happened yet.
In fact, Forstrom underlines that Microsoft has yet to detect any attacks leveraging the vulnerability, although Proof of Concept code is already available in the wild, with the exploit having even been added to Metasploit.
“Given the public disclosure of this vulnerability, the likelihood of criminals using this information to actively attack our customers may increase,” he stated.
According to information available on the security hole, exploits targeting IE8, IE7 and IE6 are capable of bypassing security mitigations such as ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).
“Additionally, customers should be aware that Protected Mode in Internet Explorer on Windows Vista and Windows 7 helps to significantly limit the impact of currently known exploits.
“Protected Mode is on by default in Internet and Restricted sites zones in Internet Explorer 7 and 8, and prompts users before allowing software to install, run or modify sensitive system components,” Forstrom explained.
A patch is not available to fix the vulnerability at this point in time, but the Redmond company is hard at work on an update.
In the meantime, Microsoft provided customers with the necessary guidance to mitigate this threat.
Microsoft Security Advisory (2488013) is currently live and details two workarounds that users can turn to until an actual security update will be offered.
The software giant is advising customers to turn to the Enhanced Mitigation Experience Toolkit (EMET) to dynamically rebase all loaded DLLs, and to set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.