A security advisory confirmed in-the-wild attacks are exploiting an unpatched bug in Internet Explorer and Microsoft is working on a fix.
The advisory addressed the Zero Day vulnerability found and disclosed by researcher Eric Romang over the weekend. On Monday, the Metasploit open-source penetration framework published an exploit module for the bug, which put pressure on Microsoft to act quickly.
“We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue,” said Yunsun Wee, director of Microsoft’s Trustworthy Computing group.
All but one supported edition of IE are affected: 2001’s IE6, 2006’s IE7, 2009’s IE8 and last year’s IE9. Together, those browsers accounted for 53% of all browsers used worldwide in August. The only exception was IE10, the browser bundled with the new Windows 8, which does not contain the bug.
Early in the day Monday, Microsoft said it was investigating a vulnerability but did not promise a patch.
The bug, when Microsoft does patch it, will rate as “critical,” the company’s highest threat ranking. Exploiting the flaw allows hackers to execute code and opens Windows XP, Vista and Windows 7 to drive-by attacks that only require getting victims to visit a malicious or compromised website.
Until a patch is available, Microsoft recommended users block attacks with EMET 3.0 (Enhanced Mitigation Experience Toolkit), boosting IE’s security zone settings to “high,” and configuring the browser to display a warning before executing scripts.
EMET is a tool designed for advanced users, primarily enterprise IT professionals, that manually enables anti-exploit technologies such as ASLR (address space layout randomization) and DEP (data execution prevention) for specific applications.
Microsoft may have committed to patching the IE vulnerability, but it has not said when it will offer the update. The next Patch Tuesday is Oct. 9.