Microsoft is investigating a new remote code execution vulnerability in Internet Explorer and preparing a security update for all supported versions of its browser (IE6, IE7, IE8, IE9, IE10, and IE11). The company has issued a security advisory in the meantime because it has confirmed reports that the issue is being exploited in a “limited number of targeted attacks” specifically directed at IE8 and IE9.
The company has found that the flaw could potentially affect all supported versions, although it says that running “modern versions” of IE has the advantage of additional security features that can help prevent successful attacks. The flaw in question makes remote code execution possible if you browse to a website containing malicious content for your specific browser type (an attacker can either compromise a regularly frequented and trusted site or convince the user to click a link in another application).
Here are the details Microsoft is sharing about the flaw:
The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
While we wait for a patch, which Microsoft has not provided a date for (October’s Patch Tuesday is likely, but it could come before or after as well), the company is offering the following workarounds and mitigations:
- Apply the Microsoft Fix it solution, “CVE-2013-3893 MSHTML Shim Workaround,” that prevents exploitation of this issue.
- Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.
The first option can be enabled and disabled as needed. The second and third options will help prevent exploitation but can affect usability. As such, Microsoft recommends trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize problems.
Top Image Credit: Nate Brelsford