Microsoft recently published an advisory acknowledging the existence of a vulnerability in versions 6, 7 and 8 of Internet Explorer.
"The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," the advisory states. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
"Microsoft's confirmation comes after reports from several security groups that the attack sprung from the Council of Foreign Relations website, creating a 'watering hole attack' that left people who visited the site through older versions of the browser open to further attack," notes Ars Technica's Megan Geuss. "The company has released a workaround for the problem, and said that it is working on a patch for IE 6, 7, and 8, but did not give a time period as to when those patches would be released."
"Among its workarounds and mitigations, Microsoft recommends setting Internet and local intranet security zone settings to high, which will block ActiveX controls and Active Scripting in these zones; users should add trusted sites to IE’s Trusted Sites zone because this mitigation will impact the usability of some websites," writes Threatpost's Michael Mimoso. "Microsoft also recommends administrators configure IE to prompt users before running Active Scripting, or disable it altogether."
"Newer versions of IE, including 2011's IE9 and this year's IE10, are not affected, Microsoft said," writes Computerworld's Gregg Keizer. "It urged those able to upgrade to do so."