Microsoft says it is investigating reports of a vulnerability in Internet Explorer 6, 7, 8, and 9 as well as targeted attacks that have attempted to exploit the vulnerability.
The zero-day flaw, which does not affect Explorer 10, was identified by researcher Eric Romang, according to a blog post by security research firm Rapid7, which has incorporated the exploit into its Metasploit testing tool.
“The exploit, which had already been used by malicious attackers in the wild before it was published in Metasploit, is affecting about 41% of Internet users in North America and 32% world-wide [according to StatCounter], the company said.
“We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures,” Rapid7 added.
According to a Microsoft security advisory, a remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated.
The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer, and an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website, company said.
On completion of its investigation, Microsoft said it will appropriate action, which may include providing a patch in its monthly security update or an out-of-cycle security update.
The company said it is working with partners in the Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
“In addition, we are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability,” Microsoft said.
Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software.
Detailed guidelines provided in Microsoft’s security advisory
Microsoft said that in a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. However, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Until a patch is available, Microsoft suggests several mitigating factors and a workaround to block known attack vectors before a security update is available. Alternatively, Rapid7 suggests switching to other browsers such as Chrome or Firefox.
18 Sep 2012