Microsoft has issued a Security Advisory (2794220) concerning a new “zero-day” vulnerability in Internet Explorer. Versions 6, 7, and 8 of the browser are affected, on all versions of Windows; versions 9 and 10 are not. The flaw involves a memory allocation and access bug; if exploited, it could lead to the attacker gaining access to the system with the same privileges as the logged-in user, and execution of arbitrary code. The most likely exploit would involve clicking on a link to a malicious Web site, sent to the user via an E-mail or instant message. An exploit would not necessarily require the Web site itself to be compromised; a site that hosted user-supplied content might also serve as an attack vector.
Microsoft has assigned this vulnerability CVE-2012-4792; however, at this point there is no further information available in the CVE data base. A more detailed technical explanation of the vulnerability is available in this Microsoft blog post.
As I mentioned earlier, this vulnerability does not affect Internet Explorer version 9 or 10. However, those of you still using Windows XP are out of luck on that score, because upgrading to one of those IE versions is not an option. (If you are still using XP, I hope you have started planning a transition to a newer version of Windows.) Microsoft says that it is investigating the problem, and that it will “take appropriate action” once the investigation is complete. The Security Advisory has some suggestions for possible mitigations. As always, never click on an unsolicited link someone sends you.
Update Sunday, 30 January, 23:16 EST
It appears that a sample exploit for this vulnerability has been published on the Web. If you are using a vulnerable version of Internet Explorer, I suggest that you switch to Firefox or Chrome, or at least apply Microsoft’s recommended mitigations as soon as you can.
[…] has released a “FixIt” workaround patch for the Internet Explorer vulnerability (in IE versions 6, 7, and 8) that I wrote about yesterday; the Security Advisory (2794220) has been […]
[…] that none of the security bulletins that Microsoft announced addresses the recently-discovered vulnerability in Internet Explorer. If you have not already done so, I recommend that you take some of the mitigation steps that […]
[…] release does not appear to include a patch for the recently-discovered vulnerability in Internet Explorer. I recommend following the suggested mitigation steps that Microsoft has […]