Microsoft released a security advisory 2757760 to address a vulnerability in Internet Explorer. All versions of Internet Explorer are affected, except IE 10. Microsoft claims that they are aware of the targeted attacks that attempt to exploit this vulnerability and are actively investigating the issue.
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
No patches have been released yet but a few workarounds are suggested:
- Deploy the Enhanced Mitigation Experience Toolkit, see more details on this knowledge base.
- Set Internet and Local intranet security zone settings to “high” to block ActiveX controls and Active Scripting in these zones.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
And obviously, UAC, and limited user account rights also help. Be cautious of the suspicious websites when accessing them.
Nothing is really too serious but painful seeing this kind of vulnerabilities. To be honest, none of the suggested actions made too much sense, since pretty much all of them have side effects that compromise the user experience.
[update on Sept. 19, 2012]
Microsoft released a Fix It that allows you to manually fix the malware hole for the time being, and promises a full patch will be scheduled on Friday through Security Update as an out of routine emergency update.
- Microsoft Released Critical Cumulative Security Update for IE to Patch Its Vulnerabilities.
- Microsoft Issues Security Advisory over the Cracked SSL/TLS Vulnerability
- 7 Critical Windows Security Updates for January 2012
- Microsoft Released An Emergency Security Update to Address A Malware Known as "Flame"
- Security Expert Demonstrates How PDFs Can Infect Your Computer via Adobe Reader’s Vulnerabilities