Microsoft today released Security Advisory 2488013 to notify customers of a new publicly-disclosed vulnerability in IE. This vulnerability affects all versions of IE. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process.
The flaw affects all supported versions of IE and occurs because of "the creation of uninitialized memory during a CSS function within Internet Explorer." It's possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution.
Vista and Windows 7 users are at less risk than those on XP because of their OS's Protected Mode, which would limit the attacker's access rights. Microsoft suggests using EMET (Enhanced Mitigation Experience Toolkit) to protect all IE processes -- but it's a tool designed for admins, not the average home user.
"On completion of this investigation, Microsoft'll take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs. Currently, Microsoft is unaware of any active exploitation of this vulnerability," stated Microsoft.
Reference: Security Advisory 2488013
[tags]mitigations,dep,aslr,critical,flaw,remote code execution,rce,[/tags]