Over the weekend, Microsoft released Security Advisory 2963983 which describes a new zero-day vulnerability found in Internet Explorer.
This remote code execution vulnerability allows an attacker to run code on a victim system if the user visits a website under the control of the attacker. While attacks are only known against three IE versions (IE 9-11), the underlying flaw exists in all versions of IE in use today (from IE 6 all the way to IE 11).
This vulnerability may linger unpatched in many systems for some time, as it is the first vulnerability affecting Windows XP systems that will not be patched. Previously, Trend Micro had warned that the risk for using Windows XP would increase over time, and this vulnerability is proof of that. This means that the millions of users who are still using this particular operating system will be left with a security hole that will never be fully fixed.
However, there are a few pieces of good news:
· The vulnerability is only able to run code with the same privileges as the logged-in user. This means that if the user’s account does not have administrator rights and is not set up as an administrator, the malicious code will not run with them either, which partially reduces the risk.
· Microsoft has provided some workarounds as part of their advisory; of these enabling Enhanced Protected Mode (an IE10 and IE11-only feature) is the easiest to do.
For Microsoft XP users, Trend Micro recommends looking at our primer Managing Your Legacy Systems which contains best practices for securing Windows XP systems. We also suggest disabling or removing the Flash Player from IE, as the exploit code requires Adobe Flash to work.
Trend Micro will continue to monitor this threat and provide new information as necessary.