Wednesday, December 10, 2008

New Internet Explorer Zero Day

If you're running Microsoft's Internet Explorer 7 on either Windows XP or Windows Server 2003, you'd better watch out.

Right after the monthly patch bundle was released this week, word came in that a zero day exploit for IE7 was making the rounds. This vulnerability is a heap overflow in an XML parser, and the exploit creates an XML tag, then waits six seconds or so to trick antivirus engines. The exploit can cause the IE7 browser to crash, then run malicious code when the browser is restarted.

Microsoft has reported that they are aware of the issue and are investigating. The exploit code is publicly available, and while we haven't seen heavy distribution, that will probably change rapidly.

Right now, the only workaround is to use a browser other than IE7. Mozilla Firefox, anyone?

No comments:

Post a Comment

Please tell me what you think.