Microsoft has issued a warning regarding another unpatched zero-day vulnerability in its Internet Explorer 9 and 10 browsers, which can allow for arbitrary code execution simply through visiting a malicious webpage.
Microsoft's Internet Explorer 9 and 10 are both vulnerable to a zero-day flaw in the MSHTML shim, with Microsoft recommended a Fix It workaround until a formal patch is released.
Confirmed late yesterday in an official security advisory
, the flaw is serious: while Microsoft claims to be aware of only 'limited, targeted attacks
' against the vulnerability the lack of an official patch coupled with the wide spread of Internet Explorer means that ne'er-do-wells will be racing to exploit the vulnerability before Microsoft can issue an update to close the hole.
'This issue allows remote code execution if users browse to a malicious website with an affected browser,
' confirmed Microsoft group manager of response communications Dustin Childs of the flaw. 'This would typically occur by an attacker convincing someone to click a link in an email or instant message. We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.
Although no automatic fix is likely to be released before next Patch Tuesday, on the second Tuesday of March, the company has deemed the vulnerability severe enough to offer a Fix-It workaround
which disables the affected MSHTML shim until a formal fix can be released - but doing so will, naturally, result in any software which relies on the shim failing to work correctly. Alternative workarounds for the flaw include upgrading to Internet Explorer 11, which is not affected, or installing the Enhanced Mitigation Experience Toolkit
the status of which current attacks look for before installing themselves refusing to do so if the toolkit is present.
This is far from the first time a major remote-code execution vulnerability has been discovered in IE's MSHTML shim: the same component has been blamed for multiple such flaws in the security of the browser, most recently in January 2013
and again in September of that year