Skip to main content

Microsoft offers security fix for zero-day exploit on Internet Explorer

Microsoft has moved to fix a security flaw that has been exposed in versions of its Internet Explorer web browser.

The zero-day vulnerability has been found in the older IE 6, IE 7 and IE 8 iterations, but the company has reassured users that IE 9 and IE 10 have not been affected.

“The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated,” Microsoft explained.

“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

A temporary workaround, which can be accessed via the ‘Suggested Actions’ section of this advisory, has been released by Microsoft while it develops a full security update to permanently rectify the issue.

"No sooner have we brought in the New Year and we're already seeing new security threats," said Carl Leonard, Senior Manager of Security Research at Websense Security Lab

"This IE Zero-Day vulnerability preys on those using older versions of IE, a typical tactic used by malware authors. They wouldn't go to the trouble of creating these exploits if they didn't know the older versions were still being widely used. So while many individuals resolve to get in the gym to kick-start the year, I would urge companies to do the same and get their security in the best shape it can be."

The exploitation reaffirms the notion that Internet users should always use modern browsers, which are more secure by their very nature - containing the latest plugs and solutions to vulnerabilities discovered online. Research group Team Cymru places this at the forefront of its top 10 tips to Internet security.