Internet Explorer 8 has yet another zero-day exploit, which has prompted Microsoft to release an impromptu patch this week. Users are urged to apply this patch as soon as possible because it can lead to infection merely by visiting a website that has been exploited.
Note: This exploit only pertains to Internet Explorer 8. To see what version of Internet Explorer you have, open your browser and click the Help link at the top of your browser window.
With a normal virus, some type of user-interaction with an infected file is necessary for a computer to become infected, but not in this case. There are two ways a user can get infected with this zero-day exploit: Web-based and through phishing emails.
Phishing emails are sent to users in an attempt to trick a user into clicking a link and visiting a page that could run code that instantly infects a PC.
In a web-based attack, a hacker could create a website with a webpage that is used to exploit this vulnerability. Or compromised websites can inadvertently host user-provided content or ads that contain specially-crafted content that can use this exploit. In each of these instances, an attacker would have no way to force users to visit an infected website. Instead, the hacker would have to convince a user to visit the website, usually by getting them to click a link in an email that takes them to the attacker’s website. Or a high-traffic website can be hacked and used to redirect users to a site that contains the exploit.
In fact, Informationweek reported that the U.S. Department of Labor website was hacked Tuesday and was used to exploit users running Internet Explorer 8.
Upgrade Internet Explorer
You should always be running the latest browser, no matter what. Unfortunately, Windows XP users do not have the ability to upgrade to anything higher to IE8. If this is the case with you, we urge you to run either the latest version if Firefox or Chrome and stop using Internet Explorer.
If you’re running Windows Vista, Windows 7 or Windows 8, you should be running at least IE 9. Windows 8 will have both IE 9 and IE 10 installed.
Protect Yourself Against The IE 8 Exploit
If you are running IE8, immediately apply the CVE-2013-1347 MSHTML Shim Workaround http://support.microsoft.com/kb/2847140 until Microsoft applies a permanent fix in their updates schedule.
In addition, as recommended above, use a modern browser and stop using Internet Explorer 8 altogether.