This means that if the current user is logged on with administrative user rights, an attacker could take complete control of a targeted system.
The attacker could then install programs and view, change or delete data as well as create new accounts with full user rights.
Microsoft reported at the weekend that it is aware of limited, targeted attacks that attempt to exploit the vulnerability found in Internet Explorer (IE) versions 6 to 11.
According to NetMarket Share, these versions of IE account for more than half of global browser market, affecting millions of businesses and consumers.
But security firm FireEye said at the weekend that only IE versions 9, 10 and 11 were being actively targeted, which accounts for a quarter of the browser market.
Independent security advisor Graham Cluley notes that Microsoft makes no mention of Windows XP in its security warning.
“That’s not because it’s immune to attack. It’s because, Microsoft released its last ever security patches for Windows XP on 8 April 2014,” he wrote in a blog post.
“As such, this is worth saying out loud: If you are still running Windows XP you will never receive a patch for this zero-day vulnerability,” he said.
Microsoft warned that the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code within IE.
The company also said an attacker could host a specially crafted website that is designed to exploit this vulnerability through IE and then convince a user to view the website.
This is typically done through sending messages through email or instant messenger that are designed to trick recipients into clicking a link to the malicious website.
“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update,” Microsoft said.
The company said it is working with partners in the Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Microsoft reports that more than 20 partners had released protections within 48 hours after the security advisory was published.
Business users will enjoy some protection because, by default, IE on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration.
This mode mitigates this vulnerability, Microsoft said.
The company also said that by default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone.
The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code, the company said.
However, if a user clicks a link in an email message, they could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
Because an attacker who successfully exploited this vulnerability could gain the same user rights as the current user, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft suggests several steps to limit exposure the vulnerability until a fix is release. These include:
- Deploying the free Enhanced Mitigation Experience Toolkit (EMET) version 4.1
- Setting Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
- Configuring Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
- Modifying the Access Control List on VGX.DLL to be more restrictive
- Enabling Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode