First, welcome to 2013 and we trust that you had a happy holiday period. As is to be expected, holidays or not, there is no rest for the wicked (be that attacker or defender) and therefore we kick off our 2013 blog with details of CVE-2012-4792, an Internet Explorer zero-day vulnerability.
The Websense® ThreatSeeker® Network has already detected instances of this vulnerability being exploited in the wild, unsurprising given that the exploit is publicly available as a Metasploit module, and therefore it is likely that attacks will continue to gain traction.
Websense customers are protected from this threat by Websense ACE (Advanced Classification Engine).
The vulnerability, as recently announced in Microsoft Security Advisory 2794220, affects users of Microsoft Internet Explorer versions 6, 7, and 8 and could allow attackers to remotely execute code on vulnerable machines by simply having the victim visit a malicious website.
As seen countless times in the past, typical tactics for enticing victims to visit these malicious sites often include tricking them into clicking links in fake emails, or simply compromising legitimate websites to serve malicious payloads to their unsuspecting visitors.
This particular vulnerability is caused by how Internet Explorer accesses an object in memory that has been deleted or improperly allocated. Exploitation can then result in memory corruption, which in turn could allow an attacker's own code to be executed within the context of the current user, or as if it was being run by that user.
At this time, Microsoft has not released a patch in order to address this vulnerability. However it has provided an easy one-click 'Fix It' solution. Internet Explorer versions 9 and 10 are listed as not being vulnerable.
Websense Security Labs™ are continuing to monitor this situation and, as a member of the Microsoft Active Protection Program (MAPP), are working with Microsoft in order to provide the best protection to our customers.
Update:
Microsoft has issued an Out Of Band update for CVE-2012-4792, which you can read about here.