A new vulnerability has been detected in Internet Explorer that allows remote execution of arbitrary code on infected computers. The alert is given by Microsoft itself, which lists some security procedures to adopt until the fault is corrected.
The vulnerability affects all supported versions of browser, that is IE6, IE7 and IE8. Out of the box is the Internet Explorer 9 beta, which according to Microsoft, is not exposed to the flaw.
«A new 0-day vulnerability, which affects IE versions 6, 7 and 8, is being used for attacks. In general, the user receives a message with a link and, when selecting it, is directed to a page that determines which browser is used. If it is one of those mentioned, the user is referred to the page that hosts the malicious code, which is automatically downloaded. From there, the computer can be controlled remotely without the user even being aware of it «, explains Symantec.
To prevent attacks, Microsoft recommends users to read their emails in text format, not HTML.
Internet users using IE 7 can also activate the Data Execution Prevention functionality in the settings of the browser – a feature that is enabled by default in IE8. Who still has IE 6 should put the Security Level in the maximum category
Until the fix arrives, Internet Explorer users are still advised to consider the Enhanced Mitigation Experience Toolkit (EMET) as a resource.
Microsoft has already prepared for the next 9th of November the launch of its monthly security update package, and it is unlikely that a fix for the vulnerability now disclosed will be presented. There is always the chance that the software giant will launch an emergency patch in the meantime, or else send the patch to a later Patch Tuesday.