Over the weekend, Microsoft issued a security advisory warning of a dangerous flaw in Internet Explorer, which affects all versions of the browser from IE 6 through to the latest IE 11 incarnation.
The vulnerability in question is of the remote code execution variety – in other words, it could be used by a malicious party to run dodgy code and potentially take control of the user’s machine. The vulnerability apparently exploits the way Microsoft’s browser accesses an object in memory which has been deleted, Redmond noted.
It could be leveraged by an attacker setting up a website to exploit the flaw, and getting an IE user to visit that site via some form of phishing mail or message. Microsoft says that there have been “limited, targeted attacks” thus far.
So it sounds like it hasn’t been exploited much – but that could change as knowledge of the bug rapidly spreads. Microsoft is currently considering whether urgent out-of-cycle action is necessary to patch this particular hole up; or whether the matter can wait until the next round of Windows updates is released.
In its security advisory, the company wrote: “On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
According to the BBC, security firm Symantec has confirmed that this particular problem does affect Internet Explorer for Windows XP users, which makes this the first major hole that will go without an official patch for those still on XP. If you weren’t aware, Microsoft ended support for XP earlier this month, and such is the danger of running an outdated operating system…