Microsoft warns of critical IE9, IE10 zero-day

February 20, 2014 // 10:54 a.m.

Tags: #browser #dustin-childs #ie10 #ie9 #internet-explorer #mshtml #mshtml-shim #security #vulnerability #windows #zero-day

Microsoft has issued a warning regarding another unpatched zero-day vulnerability in its Internet Explorer 9 and 10 browsers, which can allow for arbitrary code execution simply through visiting a malicious webpage.

Confirmed late yesterday in an official security advisory, the flaw is serious: while Microsoft claims to be aware of only 'limited, targeted attacks' against the vulnerability the lack of an official patch coupled with the wide spread of Internet Explorer means that ne'er-do-wells will be racing to exploit the vulnerability before Microsoft can issue an update to close the hole.

'This issue allows remote code execution if users browse to a malicious website with an affected browser,' confirmed Microsoft group manager of response communications Dustin Childs of the flaw. 'This would typically occur by an attacker convincing someone to click a link in an email or instant message. We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.'

Although no automatic fix is likely to be released before next Patch Tuesday, on the second Tuesday of March, the company has deemed the vulnerability severe enough to offer a Fix-It workaround which disables the affected MSHTML shim until a formal fix can be released - but doing so will, naturally, result in any software which relies on the shim failing to work correctly. Alternative workarounds for the flaw include upgrading to Internet Explorer 11, which is not affected, or installing the Enhanced Mitigation Experience Toolkit the status of which current attacks look for before installing themselves refusing to do so if the toolkit is present.

This is far from the first time a major remote-code execution vulnerability has been discovered in IE's MSHTML shim: the same component has been blamed for multiple such flaws in the security of the browser, most recently in January 2013 and again in September of that year.
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU