updated 05:32 pm EST, Mon December 31, 2012
IE 6, 7, 8 affected by exploit. IE 9, 10 unaffected
Microsoft has issued a security warning for users of Internet Explorer versions 6 through 8. The vulnerability opens the possibility for remote code execution, and it is based on the way Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. This can lead to memory corruption, allowing malicious parties to run arbitrary code under the current user's profile. Microsoft is currently investigating the vulnerability and, as of December 31, has issued a patch -- MSHTML Shim Workaround -- that prevents the exploitation of the issue.
Internet Explorer versions 9 and 10 are not affected by the vulnerability. By default, Internet Explorer on Windows Server 2003, 2008, and 2008 R2 runs in Enhanced Security Configuration mode, mitigating the vulnerability. Likewise, all supported versions of Outlook, Outlook Express, and Windows Mail are protected, as they open HTML email messages in the Restricted sites zone. Users clicking links in email messages, though, could still be vulnerable to the exploitation.
Microsoft recommends that users of vulnerable software immediately download the MSHTML Shim Workaround patch -- available at the preceding link -- in order to secure their systems.