Microsoft issued a security advisory on TechNet to warn for a new exploit that affects Internet Explorer 6, 7 and 8. The vulnerability allows attackers to perform remote code execution if users visit a malicious website. ARS Technica writes the exploit became public after the website of the Council of Foreign Relations was hacked and compromised with JavaScript code that served malicious code to older IE browsers whose language was set to “English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian. The code then created a heap-spray attack using Adobe Flash Player.
Microsoft advises to upgrade to a newer version of IE and provides the following workarounds in case an upgrade isn't possible:
While we are actively working to develop a security update to address this issue, we encourage customers using affected versions of Internet Explorer to deploy the following workarounds and mitigations included in the advisory to help protect themselves:
Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
Deploy the Enhanced Mitigation Experience Toolkit (EMET)
This will help prevent exploitation by providing mitigations to protect against this issue and should not affect usability of websites. An easy guide for EMET installation and configuration is available in KB2458544.
Internet Explorer 9 and 10 are not affected by this issue.
