If you are still using Internet Explorer 9 or below, here is one more reason to upgrade to Internet Explorer 10, or perhaps take a look at one of the many excellent free alternatives. A critical zero-day vulnerability has been uncovered in Internet Explorer that could allow a remote hacker to execute arbitrary code on your system even if you simply browse to an infected page. The vulnerability is already being actively exploited in the wild. Affected versions include Internet Explorer 6, 7, 8, and 9.
Eric Romang was the first to report the vulnerability, which has since been confirmed by Microsoft. The exploit has four main components: the Exploit.html file which acts as the starting point, the Moh2010.swf flash file that is responsible for spraying the heap with the payload that will be executed, the Protect.html file that is the actual trigger for the vulnerability, and additional malicious components that are downloaded and executed on the compromised system by the payload. The payload being dropped by the flash file has been identified to be the infamous Poison Ivy trojan.
If Internet Explorer 10 is not supported on your system and you don’t want to move to an alternate browser, Microsoft is recommending that you add Internet Explorer to the Enhanced Mitigation Experience Toolkit, or set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting. Detailed workaround instructions are available in Microsoft’s Security Advisory.