updated 08:53 pm EDT, Tue September 17, 2013
Near universal flaw affects Internet Explorer 6 through current revision
Microsoft has issued a security patch for Internet Explorer as an emergency measure to prevent customers from being affected by an "extremely limited, targeted attack." Users are advised to either immediately install the Microsoft-issued "Fix-it" patch or stop using Internet Explorer completely, until Microsoft can issue a full update for the browser.
The flaw affects all supported versions of Internet Explorer from Internet Explorer 6 through Internet Explorer 11. The flaw allows for remote code execution when an Internet Explorer user browses a website containing malicious code tailored to the specific version of the browser.
Microsoft says of the flaw that "the vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially-crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
"With the Fix It out, I'm sure any attacker who is a bit sophisticated can figure out what the flaw is and implement a similar exploit in their own attack toolkit," said security firm Qualsys' Chief Technology Officer, Wolfgang Kandek. He expects a permanent fix from Microsoft within two to three weeks, likely bundled with the Windows 8.1 update.