Unpatched Zero Day Internet Explorer Exploit (2/21/2014)
A current and unpatched zero day exploit is circulating that takes advantage of vulnerabilities in Internet Explorer versions 9 and 10. There are reports (and Microsoft has acknowledged) that this vulnerability is already being exploited in the wild against Internet Explorer 10. There is not yet a security patch for this vulnerability but Microsoft does have some workarounds available, including a Fix It:
End users are advised, as always, not to open unsolicited e-mail messages, and not to click on provided links, especially those from unrecognized or suspicious origins. It's also advisable to use an alternate web browser such as Google Chrome or Mozilla Firefox until an update to Internet Explorer is available, unless accessing an application which requires Internet Explorer.
LSPs and administrators are advised to monitor communications from Microsoft in the coming days for a software patch/update to mitigate this threat. Microsoft has stated that they will provide either a solution through their monthly “Patch Tuesday” security update or an out-of-cycle security update.
The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may allow the corruption of memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. In order to exploit this vulnerability, an attacker may provide a link to a malicious website with persuasive language to click on a provided link.
Internet Explorer version 9 and 10 are vulnerable on the following operating systems.
- Windows Vista SP2 and prior
- Windows 7 SP1 and prior
- Windows 8 (but not Windows 8.1)
- Windows Server 2008 R2 SP1 and prior
- Windows Server 2012 R1 and prior
ISC believes that approximately 20% of University desktop users are using Internet Explorer as their primary web browser.