Microsoft has confirmed the presence of an unpatched security hole in several versions of their Internet Explorer (IE) web browser, which is being used by attackers to hijack victims’ computers.
The zero day vulnerability, when exploited, gives the attacker the same user rights as the current user (including administrative level permissions) and opens the door to web-based attacks on unsuspecting users.
In a security advisory issued on the last day of 2012, the software giant classified the security bug as a “remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated”.
The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code. “An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer”, Microsoft stated.
Microsoft has acknowledged that attacks have already taken place using this exploit – specifically targeted at IE 8 users.
On Friday, multiple security firms confirmed that the Council on Foreign Relations (CFR) website had been compromised by attackers using the IE zero-day vulnerability. Researchers dubbed it a ‘watering hole attack’ being that the web site attracts contributions from a variety of users.
Microsoft confirmed that the bug only affects older versions of Internet Explorer - IE6, IE7 and IE8. The latest two - IE9 and IE10 - remain unaffected.
Windows XP users, which currently make up almost 35 percent of the global share of the market, remain vulnerable as they cannot upgrade to IE9 or IE10 without a forklift upgrade of their entire OS.
Microsoft recommends that users running older versions of IE install a preliminary Fix-it until the full security update is ready. Microsoft’s next scheduled security update is January 8, 2013.