The existence of the flaw and a working exploit for it has been revealed by security researcher and Metasploit contributor Eric Romang, who discovered it on 14 September while monitoring some of the infected servers used by the Nitro gang in the recent Java attacks.
The Rapid7 team got right on it and created a module exploiting the vulnerability for the Metasploit exploit toolkit during the weekend, and advised IE users to switch to other browsers such as Chrome or Firefox until Microsoft patches the flaw security update becomes available.
Microsoft has reacted fast by issuing a security advisory yesterday, in which it confirms the existence of the flaw in Internet explorer 9 and all previous versions (IE10 is not affected), and offers instructions on steps the users can take to mitigate - but not yet remove - the threat:
- Deploy the Enhanced Mitigation Experience Toolkit (EMET) and configure it for Internet Explorer
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.