New Internet Explorer Vulnerability

Microsoft has issued a Security Advisory (2794220) concerning a new “zero-day” vulnerability in Internet Explorer.   Versions 6, 7, and 8 of the browser are affected, on all versions of Windows;  versions 9 and 10 are not.  The flaw involves a memory allocation and access bug; if exploited, it could lead to the attacker gaining access to the system with the same privileges as the logged-in user, and execution of arbitrary code.  The most likely exploit would involve clicking on a link to a malicious Web site, sent to the user via an E-mail or instant message. An exploit would not necessarily require the Web site itself to be compromised; a site that hosted user-supplied content might also serve as an attack vector.

Microsoft has assigned this vulnerability CVE-2012-4792; however, at this point there is no further information available in the CVE data base.  A more detailed technical explanation of the vulnerability is available in this Microsoft blog post.

As I mentioned earlier, this vulnerability does not affect Internet Explorer version 9 or 10.  However, those of you still using Windows XP are out of luck on that score, because upgrading to one of those IE versions is not an option.  (If you are still using XP, I hope you have started planning a transition to a newer version of Windows.)  Microsoft says that it is investigating the problem, and that it will “take appropriate action” once the investigation is complete.  The Security Advisory has some suggestions for possible mitigations.  As always, never click on an unsolicited link someone sends you.

Update Sunday, 30 January, 23:16 EST

It appears that a sample exploit for this vulnerability has been published on the Web.  If you are using a vulnerable version of Internet Explorer, I suggest that you switch to Firefox or Chrome, or at least apply Microsoft’s recommended mitigations as soon as you can.