IE Zero-Day Vulnerability, Security Advisory 2963983

[Corrine]

Microsoft released Security Advisory 2963983 which relates to a vulnerability in Internet Explorer.

With the vulnerability, an attacker could cause remote code execution if someone visited a malicious website with an affected browser. Generally, this would occur by an attacker convincing someone to click a link in an email or instant message.

Although the vulnerability affects all versions of IE, at this time, Microsoft is aware of limited, targeted attacks, in which the exploit observed appears to target IE9, IE10 and IE11.

Recommendations are available in Microsoft Security Advisory 2963983 as well as my blog post, Security Advisory 2963983, IE Zero-Day Vulnerability which includes additional references.

 

[Corrine]

Microsoft Internet Explorer Use-After-Free Vulnerability Guidance | US-CERT

US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser.

UK Government officials have also advised using an alternate browser: UPDATE 2-US, UK advise avoiding Internet Explorer until bug fixed: Thomson Reuters Business News - MSN Money

Google Chrome and Mozilla Firefox (as well as Pale Moon) run on Windows XP and will receive security fixes until at least April 2015.

 

[Corrine]

An out of band security update is being released today. In a surprising move, Microsoft has indeed decided to issue an update for Windows XP users!

MSRC Blog Post: Out-of-Band Release to Address Microsoft Security Advisory 2963983

 

[Corrine]

The update has been released. See Out of Band Security Update for IE Zero-Day Vulnerability