The zero-day vulnerability exists, according to Microsoft, “due to the creation of uninitialized memory during a CSS function with Internet Explorer.” Under certain circumstances, an attacker can leverage the memory using a specially crafted Web page to gain remote code execution.
Microsoft said that use of protected mode in IE on Windows Vista and later operating systems should help limit the impact of the vulnerability. Using protected mode, an attacker would have “very limited rights” on the system. In addition, Microsoft is encouraging users to install workarounds available on its Security Research and Defense blog.
The company stressed that it is unaware of any active exploitation of the vulnerability, even though exploit code for the vulnerability has been published. It plans to provide a fix through its monthly security update or through an out-of-cycle update.
Rik Ferguson, security analyst at Trendo Micro, told the BBC: "As vulnerabilities go, this kind is the most serious as it allows remote execution of code. This means the attacker can run programs, such as malware, directly on the victim's computer. It is highly reminiscent of a vulnerability at the same time two years ago which prompted several national governments to warn against using IE and to switch to an alternative browser."
Jason Miller, security and data team manager at Shavlik Technologies, said that Microsoft has reported limited attacks on the vulnerability. He said that until Microsoft provides a fix, “it is important to monitor the situation" and recommended that users “lock down their Internet Explorer browsers” by using the workaround provided in the Microsoft blog.