Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: 0-day vulnerability in Internet Explorer 6, 7 and 8 - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
0-day vulnerability in Internet Explorer 6, 7 and 8

Microsoft just published an advisory about a critical security vulnerability in all versions of Internet Explorer (apart from 5 – but no one has that around anymore, right?).

While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default. DEP makes exploitation of this vulnerability more difficult so as a temporary workaround you might want to enable it for older IEs (keep in mind that it might break some add-ons).

Microsoft says that so far they only saw exploits against Internet Explorer 6. In a related post (here) McAfee said that this vulnerability was (one of those) used to compromise Google. So, it appears that it was maybe even a cocktail of 0-day exploits used (IE + Adobe).


I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Pen Test Hackfest Europe 2022 - Berlin


402 Posts
ISC Handler
Jan 14th 2010
So if I were a bad guy, I'd post a malware laden website for Haitian donations, and exploit this latest IE vulnerability...but hey, what's the chances of somebody doing this, hah! Never happen right?
The exploit is live and in the wild. Here is a video of it being used via Metasploit:
Firefox and NoScript more than handle this.
Interestingly enough, both France and Germany have recommended their citizens switch from IE to an alternative browser; it looks like tech guys aren't the only ones expecting a massive fallout over this.

4 Posts

Sign Up for Free or Log In to start participating in the conversation!