Microsoft released an advisory today to address a zero-day vulnerability affecting Internet Explorer.
Microsoft decided to release the advisory after exploit code for the unpatched bug went public. The issue, which VUPEN Security warned users about earlier this month, impacts IE 6, 7 and 8 on Windows XP, Vista and Windows 7.
According to Microsoft, the vulnerability exists due to the creation of uninitialized memory during a CSS function within Internet Explorer. Under certain conditions, it is possible for an attacker to leverage the memory to execute code remotely.
“An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site,” Microsoft’s advisory warns. “The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements…In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker’s Web site.”
So far, Microsoft said it has not seen the vulnerability come under attack. The company does not currently plan to issue an out-of-band emergency patch to address the situation, but will update the Microsoft Security Response Center blog if that changes.
As a workaround, users can set their Internet and local Intranet security zone settings to ‘high.’
“Internet Explorer Protected Mode on Windows Vista and later versions of Windows helps to limit the impact of the currently known proof-of-concept exploits,” Microsoft said. “Protected Mode is on by default in the Internet and Restricted sites zones in Internet Explorer 7 and 8 and prompts users before allowing software to install, run or modify sensitive system components.”