Microsoft is addressing a dangerous Internet Explorer zero-day vulnerability, issuing a temporary workaround until...
it releases an emergency out-of-band update scheduled for Friday.
It will not affect your ability to browse the web, and it does not require a reboot of your computer.
Yunsun Wee, director of Trustworthy Computing, Microsoft
The software giant acknowledged that attackers are targeting a zero-day flaw in Internet Explorer 6, 7, 8 and 9. It is urging users to apply an automated workaround or use the Enhanced Mitigation Experience Toolkit to make it harder for attackers to target the zero-day flaw.
"It will not affect your ability to browse the web, and it does not require a reboot of your computer," Microsoft's Yunsun Wee, director of Trustworthy Computing, said in a blog entry updating users.
In its advance notification, Microsoft rated the Friday MS12-063 bulletin "critical," for users of Internet Explorer running on Windows XP, Vista, Windows 7 and "moderate" for the browser running on its Windows Server software.
Microsoft said an error in the way the browser accesses an object in memory that has been deleted or has not been properly allocated can cause memory corruption, enabling an attacker to execute malicious code. "An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website," Microsoft said in its advisory.
The zero-day flaw surfaced on Monday after researcher Eric Romang described the error in a blog post. Romang connected the flaw to the Nitro gang -- the same group that apparently used the recent Java zero-day in targeted attacks. The flaw could be exploited by malicious code embedded in user content or website advertisements on legitimate websites, Microsoft warned.