New Internet Explorer 0-day Vulnerability (Sept. 2012)

Martin Brinkmann
Sep 18, 2012
Internet Explorer, Security

Microsoft has published a security advisory today that is informing system administrators and end users about a new 0-day vulnerability affecting Internet Explorer 6, 7, 8 and 9 but not IE 10. The vulnerability is already actively exploited on the Internet which makes it a pressing matter for all Windows users who work with Internet Explorer.

The advisory itself does not reveal much about the vulnerability other than that its a remote code execution vulnerability that is giving the attacker the same rights as the logged in user if exploited successfully. Internet Explorer users need to actively visit a website or open an HTML page in the browser for the attack to be successful. A specially prepared web page or hacked website are two possible scenarios.

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Internet Explorer on Windows Server versions runs in restricted mode which mitigates the vulnerability. The same is true for Microsoft email clients such as Microsoft Outlook, as HTML emails are also opened in the restricted zone. HTML links on the other hand that open in Internet Explorer are still dangerous.

EMET, the Enhanced Mitigation Experience Toolkit, can be used to mitigate the vulnerability. You need to add Internet Explorer once you have installed the application. To do that you can either load one of the default configuration files or add iexplore.exe manually to the program.

emet internet explorer

Microsoft offers two additional mitigation workarounds.

  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones, and add sites you trust to the Trusted Sites zone
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

You find detailed instructions on how to do that on the security advisory page. I have been running EMET on my systems ever since I discovered the application and have not experienced any issues doing so. Great program, definitely recommended.

In other news: while Internet Explorer 10 is not listed as vulnerable, it is still running a vulnerable Flash version. (thanks Ilev)


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Tim said on October 11, 2012 at 7:50 am

    I just read the following on a Windows Technet blog:
    “…we have tested EMET 3.0 on the Windows 8 Consumer Preview and it works great – we encountered no problems at all, so we encourage you to use EMET on all versions of Windows.”

    Can anyone think of a reason why Microsoft wouldn’t have installed EMET as standard on Windows 8?

    1. Martin Brinkmann said on October 11, 2012 at 8:48 am

      Maybe because it has not been tested on the Windows 8 RTM, or there was not enough time to implement it natively into the operating system. I think it is very likely that we will see the tool being integrated into either Windows 8 soon or Windows 9.

  2. PixelWizard said on September 20, 2012 at 4:16 am

    MS has now issued a ‘Fix it’ – a small bit of software -to repair IE so it’s usable again.

    See this tutorial which includes links to the Fix it (Microsoft Fixit 50939):

  3. KRS said on September 19, 2012 at 9:06 pm

    I’ve used IE several times this week before I heard about the vulnerability. Is there an easy way to find out whether I’ve been infected?

  4. Praveen said on September 19, 2012 at 12:46 pm

    Its really harmful i have found some more information from here-

  5. ilev said on September 19, 2012 at 8:49 am

    German Government warns users to stay away from IE until Microsoft fix this hole.

  6. Grantwhy said on September 19, 2012 at 3:25 am

    I wonder if this might be the reason there was an update to Adobe Flash today? (and Adobe Shockwave)

    1. ilev said on September 19, 2012 at 8:52 am
  7. ilev said on September 18, 2012 at 9:32 am


    I would like to install EMET but am afraid it will break some of the security applications
    (anti-virus, Heuristic defense ….) on Windows 7. The latest stable version is 3.0 while
    version 3.5 is beta.

    1. Martin Brinkmann said on September 18, 2012 at 9:50 am

      Ilev I have not noticed anything like that. Remember that you configure EMET to work explicitly with executables you specify and nothing else.

      1. ilev said on September 18, 2012 at 10:45 am

        Thanks. Will consider.

  8. ilev said on September 18, 2012 at 9:00 am

    While Microsoft doesn’t reveal much about the vulnerability, others have revealed that the
    vulnerability installs the “Poison Ivy” trojan.

      1. Martin Brinkmann said on September 18, 2012 at 9:19 am

        Ilev thanks for posting additional information.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.