Late Saturday evening, Microsoft issued a public advisory confirming the existence of a new vulnerability in Internet Explorer that's being used in targeted attacks online.
The vulnerability was disclosed by researchers at FireEye, who observed attacks against Internet Explorer versions 9 though 11. While criminals seem to be focused on the later releases, all versions of Internet Explorer are affected.
[ The Web browser is your portal to the world -- and the gateway for security threats. InfoWorld's expert contributors show you how to secure your Web browsers. Download the free PDF today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Exploits leveraging the use-after-free vulnerability will bypass protections in ASLR and DEP and gain code execution privileges.
In a blog post, FireEye explains:
Threat actors are actively using this exploit in an ongoing campaign which we have named Operation Clandestine Fox. However, for many reasons, we will not provide campaign details. But we believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.
In addition, FireEye researchers stated the group responsible for this exploit has had access to "a select number of browser-based 0-day exploits in the past."
Moreover, the group is proficient at lateral movement, and have been difficult to track as they rarely reuse command and control infrastructure.
Until a patch is released, Microsoft has said that EMET will help mitigate attacks against this flaw.
Further, versions of Internet Explorer running with the default Enhanced Security Configuration are not at risk, provided that the malicious website used to target the vulnerability isn't listed in the Trusted sites zone.
This is typically the case for Internet Explorer on Windows Server 2003, Windows Server 2008 (and 2008 R2), and Windows Server 2012 (and 2012 R2).
Microsoft hasn't said if they will release an out-of-cycle patch for this flaw, only that they'll take the "appropriate action" once the investigation is completed.