Microsoft has issued a warning about a critical zero-day vulnerability in versions of Internet Explorer, that is being exploited in “limited, targeted attacks”.
The Seattle-based software giant said in an advisory
that only Internet Explorer 9 and Internet Explorer 10 are affected by the remote code execution vulnerability, and that it is working on a proper patch to defend users.
Microsoft published few details of the vulnerability, but there’s no doubt regarding how it could be exploited by determined attackers:
"The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
The risk is, of course, that computer users might have their computers infected by malware before the patch is made available – perhaps by tricking victims into visiting a boobytrapped website.
It’s becoming more and more common for hackers to target legitimate websites, injecting code into them which runs malicious code on third-party sites that exploits unpatched vulnerabilities in the visiting computers.