My next class:

0-day vulnerability in Internet Explorer 6, 7 and 8

Published: 2010-01-14. Last Updated: 2010-01-14 22:19:56 UTC
by Bojan Zdrnja (Version: 1)
3 comment(s)

Microsoft just published an advisory about a critical security vulnerability in all versions of Internet Explorer (apart from 5 – but no one has that around anymore, right?).

While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default. DEP makes exploitation of this vulnerability more difficult so as a temporary workaround you might want to enable it for older IEs (keep in mind that it might break some add-ons).

Microsoft says that so far they only saw exploits against Internet Explorer 6. In a related post (here) McAfee said that this vulnerability was (one of those) used to compromise Google. So, it appears that it was maybe even a cocktail of 0-day exploits used (IE + Adobe).

--
Bojan
INFIGO IS

3 comment(s)
My next class:

Comments

So if I were a bad guy, I'd post a malware laden website for Haitian donations, and exploit this latest IE vulnerability...but hey, what's the chances of somebody doing this, hah! Never happen right?
The exploit is live and in the wild. Here is a video of it being used via Metasploit:

http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/
Firefox and NoScript more than handle this.
Interestingly enough, both France and Germany have recommended their citizens switch from IE to an alternative browser; it looks like tech guys aren't the only ones expecting a massive fallout over this.

Diary Archives