An Internet Explorer zero-day vulnerability that is currently being exploited by hackers still hasn’t been patched by Microsoft, despite the company warning users of the threat last week.
Microsoft issued a security advisory about the vulnerability last week, confirming that it had been used in “limited targeted attacks”.
But the tech giant is not expected to issue a fix for it until mid-February.
In the meantime, those still using Internet Explorer are encouraged to implement a workaround recommended by Microsoft, or to use a different browser until it is patched.
The vulnerability could allow a hacker to gain full control of a device just by tricking a user into clicking on a malicious link enclosed in an email.
The bug impacts Internet Explorer versions 9, 10 and 11 in Windows 7, 8, 10 and Windows Server 2008 and 2012.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” the warning said.
“An attacker who successfully exploited the vulnerability could gain access to the same user rights as the current user.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
“An attacker could then install programs, view, change or delete data or create new accounts with full user rights.”
This could be manipulated by hackers sending an email to users with a malicious link, Microsoft said.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” the company said.
The warning impacts all supported Windows desktop and Server OS versions.
Microsoft has said it is unlikely to issue a patch for the vulnerability for several weeks.
“Microsoft is aware of this vulnerability and is working on a fix,” it said.
“Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month.”
Microsoft provided a guide to implementing the workaround, but warned that it “might result in reduced functionality for components or features that rely on jscript.dll”.
“Microsoft recommends these mitigation steps only if there is indication that you are under elevated risk,” it said.
“If you implement the workaround, you will need to revert the mitigation steps before installing any future updates to continue to be protected.”
The vulnerability is believed to be connected to a similar zero-day found in Firefox’s browser Mozilla.
Earlier this year Mozilla said it had become aware of “targeted attacks in the wild abusing this flaw”, and quickly issued a patch for it.
The patch came just days after Mozilla released a new version of Firefox which also included a number of fixes for security flaws.
Web browsers, including Firefox, Chrome and Internet Explorer, have had to release other patches in recent months to fix vulnerabilities.
Do you know anyone who uses Internet Explorer? If so, ask them why.