Unpatched Zero Day Internet Explorer Exploit (9/20/2013)
Update 10/8/2013: There is a patch available for this exploit.
A current and unpatched zero day exploit is circulating that takes advantage of vulnerabilities in Internet Explorer versions 6 through 11. There are reports (and Microsoft has acknowledged) that this vulnerability is already being exploited in the wild against Internet Explorer versions 8 and 9. There is not a security patch for this vulnerability but Microsoft does have some workarounds available, including a Fix It for 32-bit versions of Internet Explorer:
End users are advised, as always, not to open unsolicited e-mail messages, and not to click on provided links, especially those from unrecognized or suspicious origins. It's also advisable to use an alternate web browser such as Google Chrome or Mozilla Firefox until an update to Internet Explorer is available, unless accessing an application which requires Internet Explorer.
LSPs and administrators are advised to monitor communications from Microsoft in the coming days for a software patch/update to mitigate this threat. Microsoft has stated that they will either provide a solution through their monthly “Patch Tuesday” security update release process or an out-of-cycle security update.
The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. In order to exploit this vulnerability, an attacker may provide a link to a malicious website with persuasive language to click on a provided link.
Internet Explorer is vulnerable on the following operating systems.
- Windows XP SP3 and prior
- Windows Vista SP2 and prior
- Windows 7 SP1 and prior
- Windows 8.1 and prior
- Windows Server 2003 SP2 and prior
- Windows Server 2008 R2 SP1 and prior
- Windows Server 2012 R1 and prior
ISC data suggests that approximately 20% of University desktop users are using Internet Explorer as their primary web browser.