Microsoft (Nasdaq: MSFT) says a security gap in Internet Explorer could allow an attacker to take complete control of a computer if the user clicks on a malicious link.

The vulnerability affects versions 6 through 11 of the Web browser.

An advisory includes information about how to mitigate the problem.

Microsoft Corp. said Saturday that it was aware of “limited, targeted attacks” that tried to exploit the security gap. The company is working on a fix which it plans to provide in a software update on May 13.

In the meantime, Microsoft encourages customers to enable a firewall, apply all software updates and install anti-malware software.

A division of the Homeland Security Department recommends that users download a security toolkit from Microsoft or use another browser until an update becomes available.

Advisory FAQ

  • What is the scope of the advisory?

Microsoft is investigating public reports of a vulnerability in affected versions of Internet Explorer.

  • Is this a security vulnerability that requires Microsoft to issue a security update?

On completion of our investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

  • What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

  • How could an attacker exploit the vulnerability?

An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.

  • I am running Internet Explorer for Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2. Does this mitigate this vulnerability?

Yes. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server. This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.

  • Does EMET help mitigate attacks that try to exploit this vulnerability?

Yes. The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.

For more details, visit the Microsoft advisory website.