Microsoft has release a security advisory MSA-2794220 for the Internet Explorer 0day used against Council on Foreign Relations (CFR.org) “drive-by” attack. This attack was reported the 28 December by “The Washington Free Beacon” but it seem that only 48 hours after the publication of this news an exploitable Metasploit module will be available during this long week-end end of the year.
— sinn3r (@_sinn3r) December 29, 2012
Microsoft confirm, in the security advisory, that the vulnerability is only affecting Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. Internet Explorer 9 and Internet Explorer 10 are not affected by the vulnerability. Also this Internet Explorer vulnerability has been identified as CVE-2012-4792.
Microsoft is not providing any date for a patch release, but will the appropriate actions, which may include providing a solution through the monthly security update release process, or an out-of-cycle security update. The next “Patch Tuesday” cycle is planned for the 8 January, but depending on how fast the exploit kits will include this new vulnerability, it will be maybe possible that Microsoft will release an out-of-band patch.
As always Microsoft is recommending the usage of Enhanced Mitigation Experience (EMET) in order to mitigate the attack.