Microsoft revealed a Vulnerability in all versions of Internet Explorer that is being used in limited, targeted attacks. They are investigating the vulnerability and exploit and have not yet determined what action they will take in response or when,which was reported by the research firm FireEye to Microsoft
All versions of Internet Explorer from 6 through 11 are listed as vulnerable as well as all supported versions of Windows other than Server Core. Windows Server versions on which IE is run in the default Enhanced Security Configuration are not vulnerable unless an affected site is placed in the Internet Explorer Trusted sites zone.
According FireEye " while the vulnerability affects all versions of IE, the attack is specific to versions 9, 10 and 11. It is a "use after free" attack in which memory objects in the browser are manipulated after being released. The attack bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization)."
The exploit FireEye said, uses an Adobe Flash SWF file to manipulate the heap with a technique called heap feng shui. Wich means that systems without Flash installed are not vulnerable to the specific exploit, although Internet Explorer 10 and 11 come with Flash embedded, so they are vulnerable by default.
