The Department of Homeland Security Computer Emergency Response Team (CERT) has issued the following advisory for users of Microsoft Internet Explorer versions 6 through 11.
US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system.
US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available.
For more details, please see VU#222929.
According to the details of VU#222929:
Overview
Microsoft Internet Explorer contains a use-after-free vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Microsoft Internet Explorer contains a use-after-free vulnerability. This can allow for arbitrary code execution. Internet Explorer versions 6 through 11 are affected.
Note that this vulnerability is being exploited in the wild. Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. Note that exploitation without the use of Flash may be possible.
Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.
Solution
We are currently unaware of a practical solution to this problem. Please see Microsoft Security Advisory 2963983 for workarounds. Please also consider the following workarounds:
Use the Microsoft Enhanced Mitigation Experience Toolkit
The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.
All bolding by diarist.
According to CNET, an advisory of this type is very rare for DHS CERT to issue.
While the Department of Homeland Security's Computer Emergency Readiness Team regularly issues browser advisories, this is one of the few times that the CERT team has recommended that people avoid using a specific browser.
A tip of the hat to
ItsSimpleSimon for his cogent observation!
Note to Windows XP users:
XP users will not receive an update when Microsoft resolves this bug:
If you’re still using Windows XP, you do realize that Microsoft stopped supporting the operating system earlier this month, right?
You see, the computer giant has just said it’s been alerted to a serious security flaw in versions 6 through 11 of its Internet Explorer Web browser. The good news is it’s promising to roll out a fix for users soon; but the bad news is if you’re still using XP, you’ll get no fix, leaving your machine vulnerable to attack.