According to a note from Microsoft, "The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website".

The vulnerability itself gives the attacker the user rights as the current logged in user and in a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability.

While the company is working on the fix the alternative path is to apply the Microsoft Fix it solution, "MSHTML Shim Workaround," which will prevent the exploitation of this issue. Further fixes are promised upon successful completion of the investigation and fixes will be released via either the monthly security update release or an out of cycle security update. Apart from this the manual mitigation is suggested to run the IE browser in a high security mode to block or notify the running of ActiveX controls and unwanted scripting.

IE 9 and IE 10 are understood to be safer versions and not impacted due to the issue. However, with almost 3 months passed since the identification, guess this can no longer be called as a "Zero Day" attack and hopefully the company will put the security vulnerabilities to bed soon enough before its browser market share starts to plummet.