Internet Explorer Zero-Day Hits All Versions In Use
This remote code execution vulnerability allows an attacker to run code on a victim system if the user visits a website under the control of the attacker. While attacks are only known against three IE versions (IE 9-11), the underlying flaw exists in all versions of IE in use today (from IE 6 all the way to IE 11).
This vulnerability may linger unpatched in many systems for some time, as it is the first vulnerability affecting Windows XP systems that will not be patched. We had warned before that the risk for using Windows XP would increase over time, and this vulnerability is proof of that. This means that for the millions of users still using this particular operating system, they will be left with a security hole that will never be fully fixed. (Our primer Managing Your Legacy Systems contains best practices for securing Windows XP systems.)
Serious as this vulnerability is, it’s not all bad news. First of all, the vulnerability is only able to run code with the same privileges as the logged-in user. Therefore, if the user’s account does not have administrator rights, the malicious code will not run with them either, partially reducing the risk. (Of course, this is only true if the user’s account isn’t set up as an administrator.)
Secondly, some workarounds have been provided by Microsoft as part of their advisory; of these enabling Enhanced Protected Mode (an IE10 and IE11-only feature) is the easiest to do. In addition, the exploit code requires Adobe Flash to work, so disabling or removing the Flash Player from IE also reduces the risk from this vulnerability as well.
We will continue to monitor this threat and provide new information as necessary.