Microsoft has issued a warning about a newly discovered zero-day flaw in Internet Explorer, the first to be discovered after Windows XP reached end-of-life. The vulnerability is present in all versions of the software from Internet Explorer 6 (including 7, 8, 9, 10 and 11) and could allow for the remote execution of code if exploited.
This has caused US-CERT, the United States Computer Emergency Readiness Team, and its UK counterpart, UK-CERT, to issue a warning advising Windows XP users and those who cannot follow Microsoft's recommendations to use an alternate browser.
Detailing the flaw in a blog post, Microsoft writes: "The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."
According to Microsoft, an attacker seeking to exploit the vulnerability via the web would be need to create a specially crafted website containing code to do so and would also have to convince would-be victims to visit the site. Nevertheless, the company is advising all users to run an enabled firewall, apply all software updates and install anti-malware software.
Reducing risk
A number of situations have been outlined that will mitigate user risk. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration that reduces exposure to the flaw.
Likewise, Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone, again minimising risk.
Microsoft has not yet released a patch to solve the issue, nor has it provided a date of when one might may be available. It has advised that a solution may be provided either through its monthly security update release process or via an out-of-cycle security update.
Windows XP users will not receive a patch for the vulnerability, with support for the operating system having ended earlier this month.
