On January 18, Microsoft released an emergency security advisory detailing a zero-day vulnerability residing in Internet Explorer, versions 9, 10, and 11.

While Internet Explorer has been discontinued by Microsoft, it still receives maintenance support and updates for Internet Explorer 11, and still has a higher usage on desktop browsers than its successor (Microsoft Edge Browser). This makes the vulnerability applicable to more users than you may initially think.

Currently being tracked as CVE-2020-0674 in the National Vulnerability Database, the vulnerability allows for remote code execution on the victim machine via the way objects are handled in memory through Internet Explorer’s scripting engine and libraries.

READ MORE: Try to keep zero day window as tight as possible

An attacker could exploit this vulnerability by tricking Internet Explorer users to browse to their malicious webpage. Once a user had navigated to the page, the attacker would then be able to deliver commands to the victim machine via Internet Explorer, these commands would be executed under the same privileges as the currently logged in user.

For example, if the victim was logged into their PC with Administrative rights, the attacker would have unrestricted access to the victim machine, allowing them to install programs, view and modify files and much more.

While there are workarounds to defend against this type of attack until a patch is released, they involve the modification of security descriptors for the vulnerable libraries, which many users may not be comfortable performing. These modifications would then have to be reverted when Microsoft release the patch containing the fix.

An alternative temporary mitigation would be to simply use a different browser until a security patch is released by Microsoft and ensure that the patch is applied immediately before returning to Internet Explorer.