Microsoft has released a temporary 'Fix It' for a zero-day flaw affecting older versions of its Internet Explorer browser, following reports that the vulnerability is being exploited by ne'er-do-wells.
The flaw, identified in Microsoft Security Advisory 2794220
, affects Internet Explorer 6, 7 and 8, but is not thought to be exploitable in Internet Explorer 9 or 10 - meaning Windows 8 users are off the hook on this one. For that affected, however, it's a serious bug: the flaw, first discovered by security research firm FireEye, allows an attacker to execute code under the privilege level of the current user.
To exploit the vulnerability, the attacker must somehow convince his or her victim to visit a site containing the malicious code. These sites have already been spotted in the wild, with researchers discovering multiple sites infected with the malware as far back as December. By injecting their code into apparently innocent sites - the first site to host the exploit code was the US Council on Foreign Relations' official website - attackers are able to infect all visitors using affected browser versions.
The obvious solution is to ditch the outdated browser in question: Microsoft's Internet Explorer 9 and 10 are both immune to this particular attack, as are third-party browsers from the likes of the Mozilla Foundation, Opera and Google. Alternatively, Microsoft has made a 'Fix It' pre-patch available
, which disables the affected MSHTML shim until a proper patch is provided.
With a total of six websites known to be infected with the exploit code according to figures from anti-virus firm Sophos, the attack isn't exactly wide-spread - but the seriousness of a remote code execution attack, and the likelihood that malware authors will increase their efforts to make use of the flaw ahead of an official patch from Microsoft, means that users are well advised to take action as soon as possible.
'If you use Internet Explorer, be sure you are using at least version 9 to avoid being a victim of these attacks. If you can't upgrade, consider using an alternative browser until an official fix is available,
' Sophos' Chester Wisniewski advised following analysis of the vulnerability. 'Microsoft's Fix It is intended as a temporary workaround that could also be considered, but until an official fix is available I recommend avoiding IE 8 and lower.