Active 0day attack hijacking IE users threatens a quarter of browser market

Attackers are actively exploiting a previously unknown vulnerability in all supported versions of Internet Explorer that allows them to surreptitiously hijack vulnerable computers, Microsoft warned Sunday.

The zero-day code-execution hole in IE versions 6 through 11 represents a significant threat to the Internet security because there is currently no fix for the underlying bug, which affects an estimated 26 percent of the total browser market. It's also the first significant vulnerability to target Windows XP users since Microsoft withdrew support for that aging OS earlier this month. Users who have the option of using an alternate browser should avoid all use of IE for the time being. Those who remain dependent on the Microsoft browser should immediately install EMET, Microsoft's freely available toolkit that greatly extends the security of Windows systems.

The vulnerability is formally indexed as CVE-2014-1776. Microsoft has blog posts here, here, and here that lay out bare bones details uncovered at this early stage in its investigation. Although there is no exploited vulnerability in Adobe Flash, disabling the browser add-on will also neutralize attacks, analysts at security firm FireEye Research Labs wrote in a separate blog post published Sunday. Disabling vector markup language support in IE also mitigates attacks.