Sunday, November 22, 2009

IE6 and IE7 0-Day Vulnerability Confirmed


Updated 5:20 PM 11/26/09: Microsoft has released v1.1 of this advisory, updated to include some mitigation steps. This is especially important given the types of exploits being noted in the wild.


Updated 9:45 PM 11/23/09: Microsoft has released Security Advisory 977981 concerning this issue.

Original post: SANS has reported and Symantec has confirmed a flaw in Microsoft Internet Explorer that could allow attackers to compromise a vulnerable system.

According to VUPEN Security:

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

According to Symantec, the current exploit shows poor reliability, but that's expected to change and the reliability is expected to rapidly improve.

Recommendations are the same as always when Internet Explorer is involved - make sure your antivirus is up to date, disable JavaScript, and only visit trusted sites until Redmond rolls out a patch.

An alternative is to use a browser with a lower attack footprint, such as Firefox with the NoScript add-on.


No comments:

Post a Comment

Please tell me what you think.