Microsoft has released a zero-day security advisory warning users of Internet Explorer 6, 7, and 8 of a remote code execution exploit that occurs when browsing to a malicious website. Internet Explorer 9 and 10 are unaffected from this advisory. This advisory comes outside of Microsoft’s regularly scheduled Patch Tuesday updates.
“Today, we released Security Advisory 2794220 regarding an issue that impacts Internet Explorer 6, 7, and 8. We are only aware of a very small number of targeted attacks at this time. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message. Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help protect you from this issue,” Microsoft stated in an official blog post.
Microsoft is still working on a patch for this advisory but has offered a few workarounds in the meantime for those who are affected by this issue:
- Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
- Deploy the Enhanced Mitigation Experience Toolkit (EMET)
This will help prevent exploitation by providing mitigations to protect against this issue and should not affect usability of websites.An easy guide for EMET installation and configuration is available in KB2458544.