A new zero-day exploit in Internet Explorer making the rounds has security experts from Microsoft and Google on their heels. The drive-by flaw is being used to gain access to Gmail accounts and remains unpatched as of writing, although Microsoft has issued a downloadable tool to block the exploit from being used.
Both companies have issues security advisories with regards to the issue. Microsoft has explained the vulnerability as one that could allow remote code execution should an IE browser user visit a website that implements the malicious code.
They point out that a user would first have to be led to the site as there’s no way the attacker can force the victim to visit an infected page. This of course could be done by clicking a link in an email, in a chat room or on an instant messaging service.
In more technical terms, the exploit happens when MSXML tries to access an object in memory that has not been initialized. This could corrupt the memory and allow an attacker to execute code.
Microsoft says that the vulnerability affects all versions of Windows and all supported editions of Office 2003 and Office 2007.
IE users are encouraged to download a tool that blocks the attack vector while a full patch is being developed. The company further recommends using the Enhanced Mitigation Experience Toolkit which helps to prevent software vulnerabilities. Furthermore, individuals can set up Internet Explorer to provide a prompt before running Active Scripting or disabling Active Scripting. These settings can be found in the Internet and Local intranet security zone.