[Owasp-singapore] MS warns over zero-day IE bug
Wong Onn Chee
ocwong at usa.net
Thu Dec 23 05:57:50 EST 2010
Solution: Install EMET and protect the iexplore.exe process.
Microsoft warned on Wednesday of a new zero-day vulnerability in
The flaw creates a means for hackers to inject malware onto vulnerable
systems, providing surfers are first tricked into visiting booby-trapped
websites. As such the flaw poses a severe drive-by download risk.
All established version of IE (from 6 to 8) are affected. It's unclear
whether or not the IE 9 beta is similarly vulnerable. The flaw
reportedly <http://www.vupen.com/english/advisories/2010/3156> involves
the handling of Cascading Style Sheets by Microsoft's browser software.
The bug first came to light on the seclists.org <http://seclists.org/>
full disclosure mailing list earlier this month
A module exploiting the bug -- which is noteworthy because it defeats
Data Execution Prevention (DEP) and Address Space Layout Randomisation
(ASLR) security defences in Microsoft products -- has been added by the
No patch is available but Redmond has published an advisory
explaining how to mitigate against possible attack.
A more detailed discussion of the flaw can be found in a blog post by
Paul Duckin of Sophos here
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-singapore