Dustin Childs @ the Microsoft Security Response Center Blog:
31 Dec 2012 11:30 AM PST
We have updated Security Advisory 2749920 to include the Fix it we discussed in Saturday's blog post. This easy, one-click Fix it is available to everyone and prevents the vulnerability from being used for code execution without affecting your ability to browse the Web. Additionally, applying the Fix it does not require a reboot. While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix it to help protect their systems.
We continue to work on a security update to address this issue and we're closely monitoring the threat landscape. If the situation changes, we will post updates here on the MSRC blog.
http://blogs.technet.com/b/msrc/archive/2012/12/31/fix-it-for-security-advisory-2794220-now-available.aspx
For Additional Information see the: Microsoft Fix it Solution: "MSHTML Shim Workaround"
Dustin Childs @ the Microsoft Security Response Center Blog:
29 Dec 2012 3:06 PM
Today, we released Security Advisory 2794220 regarding an issue that impacts Internet Explorer 6, 7, and 8. We are only aware of a very small number of targeted attacks at this time. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.
Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help protect you from this issue.
While we are actively working to develop a security update to address this issue, we encourage customers using affected versions of Internet Explorer to deploy the following workarounds and mitigations included in the advisory to help protect themselves:
• Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
• Deploy the Enhanced Mitigation Experience Toolkit (EMET)
This will help prevent exploitation by providing mitigations to protect against this issue and should not affect usability of websites. An easy guide for EMET installation and configuration is available in KB2458544.
Over on the SRD blog, MSRC's own Jonathan Ness and Cristian Craioveanu go over some of the issue details. We are also actively working to package an easy, one-click Fix it solution that will help protect your computer. In their blog, Jonathan and Cristian describe the shim that will be included in the Fix it, and how it will be able to be used to help prevent the exploit from succeeding. We expect the Fix it will be available in the next few days and will update this blog when it is ready.
As always, we encourage people to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. Additional information can be found at www.microsoft.com/protect.
http://blogs.technet.com/b/msrc/archive/2012/12/29/microsoft-releases-security-advisory-2794220.aspx
See:
Security Advisory 2794220
New vulnerability affecting Internet Explorer 8 users
Related:
Attackers Target Internet Explorer Zero-Day Flaw
Council on Foreign Relations Website Hit by Watering Hole Attack, IE Zero-Day Exploit
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic