Microsoft (News - Alert) announced this week it is looking into a vulnerability impacting Internet Explorer. So far, there have been a “limited number of targeted attacks” on IE 8 and IE 9. But the company warns, “The issue could potentially affect all supported versions.”
In response, Microsoft released a security advisory and is preparing a security update patch. It may not be available until next month.
“This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type,” Microsoft said in a statement. “This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an e-mail or instant message.”
Image via Shutterstock
Microsoft’s Dustin Childs, group manager of response communications, Trustworthy Computing, recommends in a blog post some possible workarounds and mitigations.
One is to apply the Microsoft solution "CVE-2013-3893 MSHTML Shim Workaround.” In addition, users can set Internet and local intranet security zone settings to "high." Trusted sites should be added to the Internet Explorer trusted sites zone. Also, configure Internet Explorer to “prompt” before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones. It was also recommended to enable a firewall, apply software updates and install anti-virus and anti-spyware software.
Above all, be cautious of suspicious e-mails or websites. Be careful of clicking on links to these websites, too.
“We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our customers,” Childs added.
Microsoft offered more details and warnings on the new vulnerability. “The vulnerability is a remote code execution vulnerability,” the company said in its advisory. “The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
Edited by Alisen Downey