Microsoft confirms zero-day bug in IE6, IE7 and IE8

[JMH]

Microsoft on Saturday confirmed that Internet Explorer (IE) 6, 7 and 8 contain an unpatched bug -- or "zero-day" vulnerability -- that is being used by attackers to hijack victims' Windows computers.
The company is "working around the clock" on a patch, its engineers said. They have also released a preliminary workaround that will protect affected IE customers until the update is ready.
In a security advisory issued Dec. 29, Microsoft acknowledged that attacks are taking place. "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8," the alert stated.
Newer versions of IE, including 2011's IE9 and this year's IE10, are not affected, Microsoft said. It urged those able to upgrade to do so.

Microsoft confirms zero-day bug in IE6, IE7 and IE8 - Computerworld

 

[JMH]

Microsoft Responds to IE Zero Day Used in CFR Watering Hole Attack

Microsoft responded this weekend with temporary mitigations and workarounds for a zero-day vulnerability in Internet Explorer exploited in an attack on the Council on Foreign Relations website.

IE 6, 7 and 8 are vulnerable to exploits that would enable a remote attacker to execute code on a computer running the flawed browser. IE 9 and 10, the latest versions of the browser, are not vulnerable, Microsoft said.

Dustin Childs, group manager Trustworthy Computing, said in an email to Threatpost that Microsoft is working on a Fix-It and Security Update for the vulnerability. It is unknown whether Microsoft will issue an out-of-band patch, or wait until Jan. 8 when its next batch of scheduled security updates is due.

Microsoft Responds to IE Zero Day Used in CFR Watering Hole Attack | threatpost

 

[Corrine]

I thought I posted information on the released Fix it. :banghead: Details here: Fix it for Security Advisory 2794220 Available