Microsoft officials said on Sunday that they are continuing to investigate the attacks that are exploiting the unpatched flaw in Internet Explorer, but that the attacks right now are limited to specifically targeted activity against enterprise networks.
The company said that it doesn’t look like any of the attacks are being targeted at consumers, and that they are only effective against machines running IE 6, which doesn’t include many of the advanced memory protections that are part of IE7 and IE8. Microsoft is recommending that customers running older versions of Windows XP and IE6 upgrade in order to take advantage of those memory protections.
That said, we remain vigilant about this threat evolving and want to be
sure our customers take appropriate action to protect themselves. That
is why we continue to recommend that customers using IE6 or IE7, upgrade to IE8
as soon as possible to benefit from the improved security protections
it offers. Customers who are using Windows XP SP2 should be sure to
upgrade to both IE8 and enable Data Execution Protection (DEP), or upgrade to Windows XP SP3
which enables DEP by default, as soon as possible. Additionally
customers should consider implementing the workarounds and mitigations
provided in the Security Advisory.
Microsoft’s next scheduled patch release isn’t until mid-February, but given that there is public exploit code available and that the vulnerability has been used in known attacks, the company could release an emergency out-of-band patch before then.