The security flaw, which was first reported by HP’s Zero Day Initiative a few days ago, would allow an attacker who successfully exploits it to run arbitrary code on an unpatched system and thus get the same privileges as the logged-in user.
“The vulnerability exists due to improper handling of CMarkup objects within “CMarkup::CreateInitialMarkup.” An unauthenticated, remote attacker could exploit this issue by enticing a user to view specially crafted HTML document triggering a memory corruption,” CERT-In warned in the advisory.
The vulnerability has only been found in Internet Explorer 8, so only users of older versions of Windows are affected, including Windows XP, which no longer receives updates and security patches from Microsoft. Users of newer Internet Explorer builds, such as 10 and 11, are perfectly secure, so in case you’re running Windows 8 or 8.1 right now, no workaround is needed.
Microsoft told us in a statement that it’s aware of the security flaw and is working to address is right now, with a fix to be released “when it’s ready.”
The company hasn’t mentioned whether it plans to roll out an out-of-band fix or wait until next month’s Patch Tuesday, but given that we’re only two weeks away from the next update rollout, the latter scenario is more likely.
“We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers. We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations,” the company said.
“We continue working to address this issue and will release a security update when ready in order to help protect customers. We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections.”
Windows XP users, however, won’t receive any patches when a fix is finally rolled out by Microsoft, so their only option is to update to a newer OS version or to give up on Internet Explorer completely. Both Google Chrome and Mozilla Firefox are still working just fine on Windows XP, so have a look at these two apps if you’d like to remain protected.