Microsoft Issue Fix For Security Vulnerability

Yesterday, Microsoft unexpectedly released a security advisory warning users about instances of active exploitation of a vulnerability found in all supported versions of Internet Explorer (6-11).

The remote code execution vulnerability "may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer." It can be exploited by an attacker who hosts a website crafted especially for that purpose and convinces a user to view the website with IE.

Microsoft says that the targeted attacks that have been detected in the wild are currently attempting to exploit this vulnerability in IE 8 and 9, and that Microsoft remains vigilant and is working with partners to detect and take action against malicious sites that attempt to exploit this flaw.

In order to protect their customers as much as possible until a definitive security update fixing the flaw is released, the company has made available a Fix It solution, in addition to recommending users to:

  • Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

The Fix it must be downloaded and run by the users themselves. The other two actions might affect the usability of the system, but this last possibility can be mitigated by adding trusted sites to the Internet Explorer Trusted Sites zone to minimize disruption.

"In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability," Microsoft warned in the advisory.

"In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website."

So, IE users, beware of unsolicited messages and suspicious links - now and forever - and implement the Fix It.

Thank you.

Jim Furstenberg, IT Security Analyst

Last updated: 09-19-2013