Recent reports suggest cyber-terrorists have found a new security hole in former versions of Internet Explorer (IE6, IE7 and IE8). Yesterday, MSRC released Security Advisory 2794220. The advisory highlights few new vulnerabilities that affect Internet Explorer 6, 7 and 8. Microsoft is aware of the targeted attacks that attempt to exploit this vulnerability through Internet explorer 8. Latest versions, Internet Explorer 9 and Internet Explorer 10 still remain immune to most vulnerabilities.
The vulnerability allows remote code execution if users browse to a malicious website with a compromised browser. Such instances usually occur when an attacker convinces someone to click a link in an email or instant message.
Upon completion of the investigation, Microsoft plans to take necessary action against such threats. The action may be seen in form of providing solutions via company’s security update release process, or an out-of-cycle security update, depending on customer needs.
Some believe, the best protection against exploits for this vulnerability is for the vulnerable code to not be present. So, upgrading to the latest versions of the browser, Internet Explorer 9 or 10 that do not include the vulnerable code may help in overcoming the problem to great extent.
Also, as mentioned earlier, the IE team is working around the clock to develop a security update to address this vulnerability for earlier versions of the product. Until then, IE 8 users can block the targeted attacks by making changes to disrupt any of the elements of the exploit. These include,
- Disabling Flash to prevent the ActionScipt-based heap spray from preparing memory such that the freed object contains exploit code.
- Disabling the ms-help protocol handler to block the ASLR bypass and the associated ROP chain.
In addition, Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying updates and installing anti-virus and anti-spyware software.
You can see the suggested workarounds at Microsoft Security Advisory (2794220) and download the Microsoft Fix It to fix MSHTML Shim vulnerability.