Microsoft has released a security advisory bulletin (2887505) today indicating that the company is aware and investigating public reports of a remote code execution vulnerability in all supported versions of Internet Explorer. More specifically, Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9.
“The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft explained in a security advisory released on September 17th.
Since Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 all run in a restricted mode called “Enhanced Security Configuration”, the exploitation of this issue is mitigated. However, those on Internet Explorer 8 and Internet Explorer 9 on any other version of Windows are still vulnerable.
Once Microsoft concludes with the investigation, the devices and services giant will either release a security update on the next Patch Tuesday or as an out-of-cycle security update. It all depends on customer needs, as Microsoft puts it.
In the mean time, Microsoft has released a temporary fix-it solution, labeled as “CVE-2013-3893 MSHTML Shim Workaround”, which prevents exploitation of this issue. You can snag this fit-it solution via the download link below.
