[Owasp-singapore] MS warns over zero-day IE bug

Wong Onn Chee ocwong at usa.net
Thu Dec 23 05:57:50 EST 2010


Solution: Install EMET and protect the iexplore.exe process.

http://www.theregister.co.uk/2010/12/23/ms_zero_day/

Microsoft warned on Wednesday of a new zero-day vulnerability in
Internet Explorer.

The flaw creates a means for hackers to inject malware onto vulnerable
systems, providing surfers are first tricked into visiting booby-trapped
websites. As such the flaw poses a severe drive-by download risk.

All established version of IE (from 6 to 8) are affected. It's unclear
whether or not the IE 9 beta is similarly vulnerable. The flaw
reportedly <http://www.vupen.com/english/advisories/2010/3156> involves
the handling of Cascading Style Sheets by Microsoft's browser software.
The bug first came to light on the seclists.org <http://seclists.org/>
full disclosure mailing list earlier this month

A module exploiting the bug -- which is noteworthy because it defeats
Data Execution Prevention (DEP) and Address Space Layout Randomisation
(ASLR) security defences in Microsoft products -- has been added by the
Metasploit project

No patch is available but Redmond has published an advisory
<http://blogs.technet.com/b/srd/archive/2010/12/22/new-internet-explorer-vulnerability-affecting-all-versions-of-ie.aspx>
explaining how to mitigate against possible attack.

A more detailed discussion of the flaw can be found in a blog post by
Paul Duckin of Sophos here
<http://nakedsecurity.sophos.com/2010/12/23/internet-explorer-zero-day-exploit-explanation-and-mitigation>.
®

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20101223/59e9fff5/attachment.html 


More information about the Owasp-singapore mailing list