Microsoft has just published a high-level threat 0-day vulnerability for all versions of Internet Explorer 6.0 and greater and affecting all operating system higher then Windows XP service pack 3. This vulnerability uses a corrupted memory object to remotely execute code that runs on the victim’s machine with the current users privileges. More information about how the vulnerability is exploited can be found at Microsoft here.
All that is required from the victim is to click a malicious link hosted by the attacker to become exploited; this in turn runs the attacker’s executing code and gives the attacker access to the machine.
This attack can still be sent through social media sites, chat messages, email, and malicious websites. As a precaution it may be wise to change the default browser to something other than Internet Explorer until the affected machine is patched. The instructions from Microsoft to change the default browser here Windows 7 And Windows XP.
The scope of users affected is very high, since the Microsoft Windows Operating Systems and Internet Explorer have been the de facto standard for more then a decade. Since Internet Explorer ships as the only browser in Windows it’s very easy not to bother installing a different browser. Internet Explorer users still make up roughly a third of browser usage average, when comparing Internet Explorer to Chrome and Firefox.
Internet Explorer on Windows Servers above 2003 are at a lower risk because they run in a default enhanced security configuration, and it’s strongly discouraged in security to be browsing the internet from Windows server or any server for that matter.
Patching can be a hectic task for admins that are using Internet Explorer dependently, but should be done immediately to prevent exposure.
The official instructions from Microsoft Suggested Actions:
Here are some statistical results showing the popularity/average browser and operating usage across the world: