Microsoft issued a fix today for a zero-day vulnerability in older versions of Internet Explorer that could allow attackers to gain control of Windows-based computers to host malicious Web sites.
The company confirmed Saturday that it was investigating a remote code execution vulnerability in IE 6, IE 7, and IE 8 that could allow an attacker to use the corrupted PC to host a Web site designed to exploit the vulnerability with other users. Versions of the browser after IE 8 are unaffected, Microsoft said.
Microsoft said in an update to that security advisory that it has developed a one-click fix that prevents the vulnerability from being exploited without affecting users’ ability to browse the Web. Microsoft also said the fix doesn’t require a reboot.
Microsoft cautioned that the workaround was not intended to serve as a replacement for security updates.
“While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this fix it to help protect their systems,” Dustin Childs, group manager for Microsoft’s Trustworthy Computing, said in a statement.
Discovered last week, the flaw was reportedly used to exploit Windows PC users who visited the Web site for the Council on Foreign Relations, a nonpartisan think tank specializing in U.S. foreign policy and international affairs. The site has been hosting the malicious code since at least December 21, Darien Kindlund, senior staff scientist at security adviser FireEye, wrote in a blog post on Friday.