[Owasp-singapore] MS warns over zero-day IE bug

Wong Onn Chee ocwong at usa.net
Thu Dec 23 05:57:50 EST 2010

Solution: Install EMET and protect the iexplore.exe process.


Microsoft warned on Wednesday of a new zero-day vulnerability in
Internet Explorer.

The flaw creates a means for hackers to inject malware onto vulnerable
systems, providing surfers are first tricked into visiting booby-trapped
websites. As such the flaw poses a severe drive-by download risk.

All established version of IE (from 6 to 8) are affected. It's unclear
whether or not the IE 9 beta is similarly vulnerable. The flaw
reportedly <http://www.vupen.com/english/advisories/2010/3156> involves
the handling of Cascading Style Sheets by Microsoft's browser software.
The bug first came to light on the seclists.org <http://seclists.org/>
full disclosure mailing list earlier this month

A module exploiting the bug -- which is noteworthy because it defeats
Data Execution Prevention (DEP) and Address Space Layout Randomisation
(ASLR) security defences in Microsoft products -- has been added by the
Metasploit project

No patch is available but Redmond has published an advisory
explaining how to mitigate against possible attack.

A more detailed discussion of the flaw can be found in a blog post by
Paul Duckin of Sophos here

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20101223/59e9fff5/attachment.html 

More information about the Owasp-singapore mailing list