All supported versions of Internet Explorer are vulnerable to a zero-day Exploit that is currently being exploited in targeted attacks against IE 8 and IE 9, dubbed “CVE-2013-3893 MSHTML Shim Workaround“.
Microsoft confirmed that the flaw was unknown before the attacks and that it is already working on an official patch, meantime Microsoft released an emergency software fix for Internet Explorer (IE) Web browser.
Advisory noted that Microsoft is investigating public reports of a remote code execution vulnerability in Internet Explorer.
This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. Victims could be infected despite the adoption of all necessary countermeasures due the nature of the flaw previously unknown.
The flaw that has been recently targeted by hackers during attacks is considerable serious and complicated to fix. State-sponsored hacking groups are often willing to pay hundreds of thousands of dollars for zero-day vulnerabilities in widely used software such as Internet Explorer.
In the specific case if the attacker successfully exploited the zero-day vulnerability could gain the same user rights as the current user, due this reason MS confirmed that whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft’s advisory also says that EMET (the Enhanced Mitigation Experience Toolkit) may be used to mitigate against the vulnerability.