Microsoft has issued an advisory, saying it is investigating reports of targeted attacks against a new zero-day vulnerability in all supported versions of Internet Explorer (IE).
Although the company has developed a tool to fix the vulnerability, there is no patch currently available.
Microsoft made no mention of where the attacks - that are targeting IE 8 and 9 - are originating, or whether there are any specific compromised Web sites involved.
According to the advisory, "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. Applying the Microsoft Fix it solution, CVE-2013-3893 MSHTML Shim Workaround, prevents the exploitation of this issue."
The software giant describes the vulnerability as a remote code execution vulnerability that exists in the way IE "accesses an object in memory that has been deleted or has not been properly allocated".
In addition, it may "corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within IE". In this way, a threat actor would be able to host a specially crafted Web site designed specifically to exploit the vulnerability.
"In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability."
The company stressed that, in each case, the threat actor would have no means of forcing users to visit the compromised sites, and would rather need to convince them usually through a link in an e-mail or IM message.
Microsoft says once the investigation has been concluded, it will take all necessary actions to protect its customers, and this may include either providing a solution through its monthly security update release process, or an out-of-cycle security update.
Share