Microsoft confirmed the presence of a zero-day vulnerability in several versions of Internet Explorer that could leave Windows computers open to attacks. The problem has appeared in IE 6, 7, and 8, although it has not been identified in the most recent iterations of the browser.
“The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated,” Microsoft said, confirming the bugs in a security advisory on December 29. An attacker can take advantage of the security weakness and execute arbitrary code while the computer’s owner is browsing with Internet Explorer.
According to Computerworld, the attacks stemmed from the website for the Council on Foreign Relations. Visitors to the non-partisan foreign policy think tank site were subject to attacks through Adobe Flash Player. The organization has not released comment on the security of its website.
Microsoft said it has released a preliminary workaround to protect those machines with the most up-to-date versions of its compromised browsers until a full update is ready. The advisory included a list of suggested actions for people to take to secure their machines. Microsoft also encouraged users of Internet Explorer to upgrade to either IE 9 or the latest IE 10 in order to avoid security gaps.
Microsoft faced similar troubles with security late last year, too, releasing an emergency update notifying customers of a bug in its ASP.Net programming language that could be used by hackers to bring down website servers.