Microsoft has released details of a zero-day remote code execution vulnerability which is being actively exploited to attack Windows computers. It affects all versions of Internet Explorer running on Windows 7, 8.1 and 10.
The problems lies in one of the two javascript engines available within IE. Since a webpage can request IE to use a specific javascript engine, a malicious site is able to force the exploit either through an element on a trusted page such as an Advert or by tricking the user to visit a specially crafted webpage. The issue is tracked as CVE-2020-0674 and is a flaw in the way objects in memory are handled. By exploiting the vulnerability, an attacker is able to execute arbitrary code on the machine.
Until Microsoft issues a patch (and possibly forever for the 1 in 4 desktop machines that now run the unsupported Windows 7 Operating System) you can manually disable the javascript engine which has the vulnerability. Since the flawed library is not the default javascript engine, it is unlikely that many legitimate sites will be insisting in using the legacy javascript library. Full instructions for disabling the vulnerable library are provided in the Microsoft security advisory.
