April has been the month of monumental holes in security on the net. First there was Heartbleed (and as always, XKCD has a great explanation of what the Heartbleed vulnerability is: http://xkcd.com/1353/)
Not to be outdone by a mere open source project, Microsoft has announced a new 0-day vulnerability in all versions of IE since IE 6. How you can call something “0-day” when it’s been there 12 or 13 years I’m still kind of fuzzy on.
As I understand the bug, it allows an attacker to use a specifically crafted html page execute arbitrary code on the user’ machine under the credentials IE was assigned at launch. If you’re running as an administrator (who does that in Windows??), you’re pretty much wide open.
Microsoft released a tech bulletin about the flaw over the weekend that goes into a bit of depth about the flaw and lists what versions of IE are vulnerable. Basically all of them. If you’re running Server 2008 R2 or later, you *should* be ok if you’re still running IE under limited credentials.
The bulletin is here: Microsoft Security Advisory 2963983
Microsoft hasn’t released a patch yet, but I suspect we’ll see something in a day or so as an out-of-band release. I can’t imagine even Microsoft waiting around for this one.