A 'zero day' flaw was uncovered in Internet Explorer this weekend. Microsoft is rushing to fix the vulnerability but has yet to do more than publish a simple advisory note. This security flaw, allowing remote code execution from a maliciously designed website, affects IE versions 6, 7, 8, 9, 10 and 11. Reuters reports that PC users running Windows XP won't receive any bug fixing updates when they are released. The various versions of IE account for around 55 per cent of the world's web browsers in daily use.
Microsoft describes this widespread Internet Explorer vulnerability as follows:
"The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
Microsoft Security Response Centre (MSRC)
So far Microsoft has observed only "limited, targeted attacks". This could be to do with how new this vulnerability discovery is and that targeted users have to somehow be directed to the malicious website - via a link in an email or IM chat. It could also be to do with Microsoft's "mitigating factors" which include; IE10 and IE11 Enhanced Protected Mode is the default browsing experience on Modern UI and the EMET (Enhanced Mitigation Experience Toolkit) 4.1 and EMET 5.0 protect against this risk. Also having up to date and enabled firewall, AV and anti-spyware software packages will help to protect Windows/IE users.
Microsoft reminded users that those with Windows accounts configured for fewer user rights could be less impacted by this vulnerability compared to 'Administrators'. Also we are told not to click on suspicious links from hither and thither and avoid opening fishy looking emails. Microsoft also recommended, in a statement to Reuters, that Windows XP users should upgrade to Windows 7 or 8, as they will receive no system updates to address this vulnerability when they become available.