IE flaw could allow hackers to wreak havoc remotely
Be advised that if you're running Internet Explorer version 8 or 9, you could be a sitting duck for a remote code execution attack. Microsoft is aware of the zero day flaw and has issued an emergency Band-Aid as a temporary fix as it continues to investigate the issue. Applying Microsoft's "CVE-2013-3893 MSHTML Shim Workaround" prevents attackers from being able to exploit the security flaw until a permanent fix is rolled out.
"The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft explains in Security Advisory 2887505. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
According to security outfit Sophos, exploitation of the security flaw has already been witnessed in the wild. Though Microsoft is only calling out IE 8 and 9, Sophos says that doesn't necessarily mean users of IE 6, 7, 10, and 11 are safe.
Once Microsoft is finished investigating the severity of the issue, it will either issue an out-of-cycle security update or roll it into the next round Patch Tuesday updates in October, the latter of which is still several weeks away. What's available now is called a Fix It update, which are designed to offer users protection until a more thorough patch is released.