Update 2012Sep22: As promised by Microsoft, patches for Internet Explorer versions 9 and earlier were made available yesterday. The patches are available through regular update channels, including Windows Update and Microsoft Update. Security Bulletin MS12-063 has all the details, including links for downloading the updates separately.
Update 2012Sep21: A fix for this issue, promised earlier this week by Microsoft, was announced yesterday. Anyone using Internet Explorer for web browsing is strongly encouraged to install the fix immediately. A proper (i.e. fully tested) patch will be available from Microsoft later today.
Update 2012Sep19: Another bulletin from Microsoft promises an ‘out of cycle’ fix for this issue in the next few days. Meanwhile, the list of sites known to contain the exploit code is growing.
Update 2012Sep18: Microsoft has issued a security bulletin that goes into some detail about this issue and suggests workarounds. Apparently you can install the ‘Enhanced Mitigation Experience Toolkit’, or configure Internet Explorer to either prompt before running ActiveX scripts or prevent them from running altogether.
A newly-discovered vulnerability in most versions of Internet Explorer is being exploited in current, ongoing attacks.
Anyone using IE 6, 7, 8 or 9 on Windows XP, Vista or 7 is potentially at risk. To become infected, a user need only visit a web site that contains the exploit code. Typically, trojan malware is then installed silently on the user’s computer. The computer is then open to further attacks as well as remote control by the perpetrators.
Internet Explorer 10 is not affected.
The exploit code may be placed on a web site without the knowledge of the site owner, if the site is not secure.
This vulnerability and the associated attacks are serious enough to warrant extreme caution when using Internet Explorer. Some experts are recommending discontinuing the use of Internet Explorer until a fix becomes available.
Microsoft has issued a bulletin that provides additional details.