A new zero-day vulnerability that resides in all versions of Microsoft’s Internet Explorer was detected this past weekend (April 26-17, 2014), Microsoft confirmed.
The vulnerability, which could allow remote code execution, is being used in "limited, targeted attacks," according to an advisory issued by Microsoft. All versions of the web browser, IE 6 through 11, are affected by the vulnerability; this is significant because the flaw affects more than a quarter of the total browser market.
"The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft said. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer." Specifically, an attack could be triggered by luring visitors to a specially crafted web page, Microsoft further explained.
There is currently no patch available to protect against this vulnerability.
So what can you do to protect yourself and your computer?
- Do not use Microsoft’s Internet Explorer on any machine that you currently have (the US Department of Homeland Security’s Computer Emergency Readiness Team took the unusual step of also making this recommendation).
- Use an alternative browser, such as Chrome or Firefox.
If you use Windows XP for a home computer you may want to update your operating system and also use a different browser until a patch is released. With the dropping of support for XP by Microsoft, we believe this may by the first of many attacks that will be targeting Windows XP.
- A patch will not apply to XP users.
- If you are an XP user, use an alternative browser.
- Upgrade your XP machines to Windows 7 or Windows 8.
Microsoft is currently investigating this vulnerability. As soon as a patch is released to protect against this flaw, we will update all of our client’s computers.
As of 1:00 p.m. today, we have started to push out to all managed computers the Chrome browser for clients to use as an alternative. If you have any questions, please contact the Help Desk.