Microsoft on Saturday issued a security advisory for a vulnerability in Internet Explorer that could allow for remote code execution. The Redmond-based company said they are aware of limited, targeted attacks that attempt to exploit a vulnerability in versions 6 through 11 of Internet Explorer.
According to security firm Fire Eye, however, IE versions 9, 10 and 11 are the only ones being actively targeted at this time. Even still, it’s a serious threat as the vulnerable versions represent about a quarter of the total browser market, Fire Eye said.
The firm further points out that the exploit leverages a previously unknown use-after-free vulnerability as well as a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) protections.
Microsoft claims an attacker could host a specially crafted website that is designed to exploit this vulnerability then convince a user to view the website. If successful in infecting a system, an attacker could gain the same user rights as the current user.
Once an investigation is complete, Microsoft said they will take the appropriate action to protect customers. That may include providing a solution through their monthly security update release process or an out-of-cycle security update.
Until then, it would be wise to avoid using Internet Explorer completely and stick with other popular alternatives such as Chrome, Firefox or Safari.