Update Sept. 21: Microsoft has issued an update to address the vulnerability in IE9-and-earlier browsers, as described below. The update also also addresses four other previously undisclosed IE vulnerabilities. The update can be found here.
In addition, the company also released a patch to address issues affecting Adobe Flash Player in Internet Explorer 10 on Windows 8.
Update Sept. 20: Microsoft yesterday said it has released the Fix it and that on Friday, it will release an update for IE through Windows Update and other standard distribution channels. The Fix it is here.
Update 3:43 p.m.: Microsoft says it will release a “Fix it” in the next few days to address the issue. (A Fix it is a one-click solution that an Internet Explorer user can install to provide protection against the issue until an update is available. It should not affect the user’s ability to surf the Web and it won’t require a reboot of the computer, according to Microsoft, which added that the Fix it is intended to provide protection until an update is available.)
Yunsun Wee, director, Microsoft Trustworthy Computing Group, issued a statement, saying:
There have been an extremely limited number of attacks — the vast majority of Internet Explorer users have not been impacted. We are working on an easy-to-use, one-click fix that will be released in the next few days, but in the meantime we recommend customers make sure their antivirus software is up-to-date. For more information on staying safe online, please visit Microsoft’s Safety and Security Center.
Microsoft is advising users of Internet Explorer 9 and earlier versions of the browser to install a mitigation toolkit, in response to reports of targeted attacks when users view a website hosting malicious code. (IE 10 is not affected.)
The mitigation tool and other advisory measures are interim measures as Microsoft works to develop a security update, the company said in a href=”http://blogs.technet.com/b/msrc/”>blog post:
According to the company, the problem is this:
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Reuters reports that a researcher in Luxembourg discovered the flaw in IE on Friday “when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs. When he analyzed the infection, he learned that Poison Ivy had gotten on to his system by exploiting a previously unknown bug, or “zero-day” vulnerability, in Internet Explorer.”