Just days after releasing 15 security updates for IE10 as part of the February 2014 Patch Tuesday, Microsoft is now having to investigate a severe, active attack being made against the 1st generation Windows 8 Internet browser.
The unpatched vulnerability was reported by FireEye Labs on February 13, 2014. The company is currently working with Microsoft's security team to identify and fix the exploit.
Ironically, the exploit utilizes a flaw in Adobe's Flash scripting language to bypass Microsoft's address space layout randomization technology (ASLR), which is meant to be an anti-exploit mechanism. The vulnerability does not appear to affect IE11.
FireEye reports that the vulnerability is a class drive-by download attack. Users are lured to a compromised web site where an encoded payload is downloaded from a remote server, decoded and then executed.
Microsoft has acknowledged the zero-day flaw but has yet to release an official statement.