Danger! Internet Explorer zero-day vulnerability – no patch yet

Danger zone
Microsoft has released a security advisory about a previously unknown vulnerability in versions of Internet Explorer. There is currently no patch for the vulnerability which is being blamed, in part, for the high-profile attacks against Google, Adobe and other companies.

Microsoft has published some mitigation advice and workarounds which can reportedly help block attack vectors, but at the time of writing there is no official patch available.

There has been much speculation in the computer security industry (including some from myself!) that an Adobe PDF vulnerability could have been the route through which hackers delivered malware into Google and Adobe’s systems. Certainly we have seen a significant rise in the last year of targeted attacks exploiting vulnerabilities in Adobe’s code.

But researchers close to the Google/Adobe hacking investigation say that they have found no evidence so far of the attack exploiting Adobe’s software in this way. Indeed, a statement posted yesterday on Adobe’s blog confirms this.

So, right now, Microsoft Internet Explorer is being looked at with suspicion. And as the world’s most popular internet browser it’s obviously a serious cause for concern that an unpatched vulnerability that allows remote code execution exists that is being actively exploited by cybercriminals.

System administrators and computer owners around the world will be holding their breath that an official patch from Microsoft arrives sooner rather than later. In the meantime, Microsoft is recommending that Internet Explorer users use Data Execution Prevention (DEP) – a technology that is enabled in Internet Explorer by default but needs to be turned on in earlier versions.