Internet Explorer's handling of CSS has been found to contain a remote code execution vulnerability.
Microsoft has issued a warning about an unpatched zero-day vulnerability in Internet Explorer, which leaves Windows open to attack.
The vulnerability, discussed in Microsoft's Security Advisory 2488013
, relates to Internet Explorer's handling of malicious Cascading Style Sheet (CSS) code, and can be exploited to overwrite uninitialised memory and execute arbitrary code.
The flaw can be exploited to remotely run code under the account of a logged in user by simply visiting a CSS website that contains malicious code. It's a serious issue, but it's one that Microsoft believes isn't currently being exploited by ne'er-do-wells.
There is no known fix for the flaw at present, although Microsoft reports that it's 'investigating new, public reports of a vulnerability in all supported versions of Internet Explorer, and on completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
In the meantime, the company advises users to run Internet Explorer in Protected Mode and ensure that their main user account is not configured as a system administrator. This will limit the rights available to malicious code executed from within the browser.
Although Microsoft claims to be 'unaware of any active exploitation of this vulnerability
,' it does confirm that the flaw is public knowledge. This potentially means that attackers could quickly pick up on it and start to exploit the flaw before Microsoft fixes it.
Are you disappointed to see yet another security hole appear in Internet Explorer, or just pleased that Microsoft is looking into the problem as soon as public reports surfaced? Share your thoughts over in the forums