Security researchers are warning of a new zero-day vulnerability affecting Internet Explorer. The flaw has already been exploited in the wild.
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated.
The flaw, which affects Internet Explorer 7, 8 and 9 on Windows XP, Vista and Windows 7, was discovered over the weekend by researcher Eric Romang. In a blog post, Romang wrote that the Nitro gang -- the same group that apparently used the recent Java zero-day in targeted attacks -- could be connected to the IE vulnerability.
According to researchers at Boston-based Rapid7, users' computers can become infected simply by visiting a malicious website. In a blog post, they wrote that attackers have already been using the exploit in the wild.
Microsoft issues security advisory
The zero-day flaw affects Internet Explorer 6, 7, 8 and 9, according to a security advisory 2757760 issued by Microsoft. The software giant said it is aware of targeted attacks that attempt to exploit the vulnerability.
"A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated," Microsoft said in its advisory. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
The flaw could be exploited by malicious code embedded in user content or website advertisements on legitimate websites, Microsoft warned.
Microsoft did not rule out providing an out-of-cycle security update to address the vulnerability.
Rapid7 advised users to switch to another browser such as Chrome or Firefox until Microsoft releases a security update.
A zero-day exploit module has been added to the Metasploit penetration testing toolkit to give security pros a way to test their systems to see if they are vulnerable, the Rapid7 researchers said.