A flaw in Microsoft’s Internet Explorer (IE) 6, 7 and 8 could allow hackers to take control of a Windows-based computer if the user browses to a malicious website. Security Advisory 2794220 was issued over the weekend and soon after a team blog reported that, “We are only aware of a very small number of targeted attacks at this time. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.”
Microsoft has made a temporary fix available for the zero-day vulnerability until it can deliver a formal patch.
Be particularly careful if you are using versions 6, 7 or 8 of the IE browser. Versions 9 and 10 are not affected by the vulnerability. Check which version of IE you’re running by opening IE, click the Help question mark icon on the right and choose About Internet Explorer. To upgrade an older version of IE, go to Start > Control Panel > Windows Update.
We recommend switching browsers for a more secure one like Google Chrome. In addition to being more secure than IE 8, it is also faster and supports HTML 5, giving you a better browsing experience. Download free Google Chrome here.
While we were researching the websites currently serving the new Microsoft Internet Explorer (IE) zero-day threat, we found that the new attack is being piggybacked on a slightly older attack aimed on industrial companies’ websites.
The hacked legitimate websites contain on their main pages a hidden iframe.
It was brought to our attention by this thorough Eric Romang article that a new zero-day exploit (an exploit actively used by cybercriminals in the wild) targets a bug in Microsoft’s Internet Explorer (IE) 7 & 8, and with some help from Java, it could be also exploited on IE 9, as confirmed by the Metasploit firm. At this time, as there is yet no patch from Microsoft, what can you do?