Microsoft has confirmed the existence of unpatched, vulnerability in its Internet Explorer 8 browser, which allows remote code execution when users browse to a malicious website with an affected browser.
Reports from multiple security firms revealed that the vulnerability has been used in active exploits that include watering hole-style attacks against the US Department of Labour and the US Department of Energy.
Security firm FireEye said, " During our research we also found the exploit constructs a ROP chain on non-ASLRed msvcrt.dll, and we verified it could also work against IE8 on Windows 7.
"So we believe there should be some other exploits targeting IE8 on Windows 7." it added in a blogpost.
Microsoft acknowledged the bug and also revealed the other versions of Internet Explorer, including IE 6, 7, 9 and 10 are not affected by the vulnerability, while is also working on an update to fix the issue.
In addition, the firm also advised the users to upgrade their browsers to IE 9 and 10 versions as they remain unaffected by this issue, while all versions of IE8, including versions running on XP, Vista and Windows 7, are at risk.
IE8 has been the most widely-used of Microsoft’s five supported browsers ranging from IE6 through IE10 and account for about 41% of all the software maker’s developer’s browsers that are currently live.