Microsoft released a security advisory[1] identifying a zero-day vulnerability (CVE-2010-3962) in all supported versions of Internet Explorer (IE) that could allow for remote code execution. Microsoft is aware of targeted attacks attempting to exploit this vulnerability. According to ZDNet Zero Day blog[2], the exploit is being used in a combination of social engineering emails and drive-by downloads on compromised, legitimate sites in order to load trojan malware onto affected systems.
Though attacks have been observed in the wild, there is currently no public exploit code available. Microsoft is working to address the issue, however no information yet available for a patch release date. IE 9 Beta is unaffected by the vulnerability. Users are advised set an alternative browser (e.g. Mozilla’s Firefox or Google’s Chrome) as their default until Microsoft addresses the issue. Users who require IE should consider upgrading IE9 beta[3] to mitigate the risks.
[1] Microsoft Security Advisory (2458511) Vulnerability in Internet Explorer Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/2458511.mspx
[2] Microsoft warns of new IE zero-day attacks
http://www.zdnet.com/blog/security/microsoft-warns-of-new-ie-zero-day-attacks/7655
[3] Internet Explorer 9 Beta Upgrade
http://www.microsoft.com/windows/internet-explorer/default.aspx
See also: