Critical 0-Day Flaw Affects All Internet Explorer Versions, Microsoft Warns
Thursday, 23 December 2010 12:39
Microsoft has confirmed a zero-day vulnerability affecting all supported versions of Internet Explorer, including IE8, IE7 and IE6. The Redmond company explains that the security flaw involves the creation of uninitialized memory during a CSS function within the browser.
“It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution,” the software giant informed.
Given the fact that successful exploits against this vulnerability can allow for remote code execution, and attacker could potentially take over a victim’s computer. However, Dave Forstrom, Director, Trustworthy Computing, Microsoft denied that this has happened yet.
In fact, Forstrom underlines that Microsoft has yet to detect any attacks leveraging the vulnerability, although Proof of Concept code is already available in the wild, with the exploit having even been added to Metasploit.
“Given the public disclosure of this vulnerability, the likelihood of criminals using this information to actively attack our customers may increase,” he stated.
According to information available on the security hole, exploits targeting IE8, IE7 and IE6 are capable of bypassing security mitigations such as ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).
“Additionally, customers should be aware that Protected Mode in Internet Explorer on Windows Vista and Windows 7 helps to significantly limit the impact of currently known exploits.
“Protected Mode is on by default in Internet and Restricted sites zones in Internet Explorer 7 and 8, and prompts users before allowing software to install, run or modify sensitive system components,” Forstrom explained.
A patch is not available to fix the vulnerability at this point in time, but the Redmond company is hard at work on an update. In the meantime, Microsoft provided customers with the necessary guidance to mitigate this threat.
Microsoft Security Advisory (2488013) is currently live and details two workarounds that users can turn to until an actual security update will be offered.
Make A Donation
Thank you for your donation.
- How To Integrate Internet Explorer 9 Rc Using Dism?
- How To Integrate Internet Explorer 9 Rc Using Rt Seven Lite?
- Add “Restart Explorer” Option in Desktop and Explorer Context Menu
- How to Integrate Nvidia and ATI display drivers using RT Seven Lite?
- How to add Screensaver - Themes - Wallpapers into Windows 7 Setup ISO?
- Create a bootable USB flash drive for the purpose of installing a Vista or Windows 7 OS
- How to change your Windows 7 boot screen?
- Hide - Reinstall - Show: Internet explorer Shortcuts if missing on your PC
- How to Slipstream Windows 7 Service Pack 1 Release Candidate (or) RC
- How to change Wallpaper Style View in .theme file
Latest Deployment Tools
- Windows 7 SP1 MUI Language Packs (Direct Download Links)
- RS Windows XP Install CD Creator 1.1.120211
- Internet Explorer 9 RC [FULL Offline Installer]
- Windows 7 and Windows Server 2008 R2 Service Pack 1 (KB976932)
- Windows Automated Installation Kit (AIK) for Windows 7 SP1 v3.0
- Windows 7 Service Pack 1 RTM Build 7601.17514.101119-1850
- Universal Theme Patcher for Windows
- Giga Tweaker
- Windows 7 Little Tweaker
- Enhance My Se7en