News broke this weekend of yet another IE 0-day under ("limited, targeted") exploitation in the wild. Microsoft responded with an advisory, but no patches yet. Given that the risk from the known exploit is mitigated by the usual defence in depth tactics I would not expect Microsoft to release an out of band patch, though a "fix it" type hotfix would be in keeping with Microsoft's recent tactics.
The known exploit for this issue relies on Adobe Flash to be present and enabled. Disabling or removing flash will block the known exploit, but does not address the root cause issue in Internet Explorer.
To asses your exposure to this threat:
- Nexpose users can view affected systems in their environment from existing scan data using Dynamic Asset Groups.
- ControlsInsight users can examine which systems in their environment have the correct mitigations in place (including Flash disablement).
- Both products report Windows XP as an "Obsolete Version" (which is an automatic PCI failure).
This 0-day is the first of what will inevitably be many issues to affect Windows XP in the post XP era. Users still on XP have no choice but to upgrade in order to receive protection. Of course, for Microsoft, Windows XP is already all but forgotten, in that, since it is no longer supported, it is not listed in the vulnerable systems.
In a totally unscientific survey, looking at traffic to Rapid7.com, approximately 1% of our total web visitors identify as running Windows XP, but approximately 15% are running some version of IE. We don't check for mitigations in place unless you ask us to.
Overall, this issue isn't all the different from any number of IE 0-days, we usually get three or four every year, except that it's the first in the post-XP world. All the more reason for users to move to modern, supported, operating systems where advanced mitigation techniques are available.