Microsoft Warns of Zero Day Bug Affecting Internet Explorer 6-8

Microsoft is currently investigating reports of a zero day bug affecting Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, the company announced in a Security Advisory. At issue is a remote code execution vulnerability that would allow attackers to seize control of a Windows PC.

How it works is IE attempts to reference and use an object that had previously been freed. The components of an exploit for such a vulnerability are typically:
  • Javascript to trigger the Internet Explorer vulnerability
  • Heap spray or similar memory preparation to ensure the memory being accessed after it has been freed is useful
  • A way around the ASLR platform-level mitigation
  • A way around the DEP platform-level mitigation

Microsoft suggests disabling certain services while it works on a patch. Alternately, you can use an different browser like Google Chrome

"The IE team is working around the clock to develop a security update to address this vulnerability for earlier versions of the product," Microsoft stated. " However, until the update is available, customers using Internet Explorer 8 can block the current targeted attacks by introducing changes to disrupt any of the elements of the exploit."

Those changes include disabling Javascript, disabling Flash, and disabling the MS-Help protocol handler along with ensuring "Java6" is not allowed to run.

The vulnerability is not present in IE9 or IE10.