Around Valentine's Day 2014, FireEye Labs reported that they were working with Microsoft on a newly identified exploit that targeted IE10 through a vulnerability in Adobe's Flash scripting language. You can go ahead and take a moment to curse Adobe. We all do quite frequently.
And, then a few days later, Microsoft admitted that the exact same flaw exists in IE9. Now, less than a week later since the first report, Microsoft has released a temporary fix to help protect IE9 and IE10 users. The workaround comes in the form of a Microsoft Fix-IT component while they work diligently on a permanent solution in the form of an official security update.
The Microsoft Fix-It is available to run against affected PCs here: Microsoft security advisory: Vulnerability in Internet Explorer could allow remote code execution
For this Fix-It to even work, the computer must already be up-to-date with the latest IE9 and IE10 updates. If you've delayed delivering updates to your computer stock, you have more work to do than just pointing users to the Fix-It download page. A Fix-It component is a bit of code that runs on the local computer. Administrators can choose to download and deploy it.
For this particular Fix-It solution, there are two separate downloads. One installs the workaround, the other uninstalls it.
The flaw allows a successful attacker to assume the same rights as the logged on user. This is an important piece to comprehend, since many companies still allow end-users to utilize administrative rights on the computers they use. Avecto recently released a study that took Microsoft's 2013 security releases and showed that simply removing administrator rights from normal users would have eliminated the majority of potential intrusions and better protected the environment. Read about that in Removing Admin Rights Still the Best Security Measure. So, while this currently reported vulnerability could still be successful in attacking the PC, it would do considerably less damage through standard user credentials.
Microsoft has also released a full Security Advisory which goes into greater detail about how the vulnerability works. You can read all about it here: Microsoft Security Advisory (2934088)
A permanent resolution is coming, but no fixed date has been given. But, this is serious enough that we could probably see an out-of-band security update in the coming days.
P.S. This vulnerability is only targeted toward IE9 and IE10. It does not affect any other Internet Explorer versions.
