Yesterday I wrote about a zero-day security bug in Internet Explorer 7 and 8 that's being actively exploited by cybercriminals. The bug was thought to affect only these older versions of Internet Explorer, but new information points out that Internet Explorer 9 is also vulnerable, meaning Windows Vista and Windows 7 systems are also at risk of being infected.
The only version of Internet Explorer that's not vulnerable is IE10, but this browser is currently only available in the Windows 8 release previews. Microsoft investigated the issue and said it's working on a patch, but did not confirm whether it would be an out-of-cycle update. Given the high risk and the fact that the bug is already actively being exploited, it seems likely that the patch will be rolled out asap.
"We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue," blogged Yunsun Wee, director of the Microsoft Trustworthy Computing Group.
In a security advisory, Microsoft explains the bug is related to the way Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability allows attackers to corrupt memory in a way that enables the execution of arbitrary code. By serving a specially crafted website, cybercriminals can exploit the vulnerability to infect a victim's PC with malware.
Until a patch is available, Microsoft recommends the following mitigations:
Deploy the Enhanced Mitigation Experience Toolkit (EMET)
Set Internet and local intranet security zone settings to "High" to block ActiveX controls and Active Scripting, and add trusted sites to the Trusted Sites zone to minimize your browsing disruption.
Configure IE to prompt before running Active Scripting or to disable Active Scripting in the Internet Explorer and local intranet security zones. This also affects usability, so MS recommends to add trusted sites to the Trusted Sites zone to minimize disruption.
Alternatively, you can also (temporarily) switch to another browser like Firefox or Chrome.