Links

Other Posts
Internet Explorer Out-of-Band Patch Released
Adobe Releases Patch for Critical Vulnerability

 


Internet Explorer Remote Code Execution Exploit Released

Posted on January 19th, 2010 by Ryan Spanier

GSA Reference Number: AD100119-01

Simply Put: A new Internet Explorer remote code execution exploit has been released.  There is evidence that this exploit is being used in limited, targeted attacks on the Internet.  For now, no widespread worms or exploit packs are currently using this vulnerability.  Microsoft has not released a patch, but is currently researching the issue and hopefully will release one soon.  Reports have been published linking this exploit to the Google hacking incident.  According to this Microsoft article, an out-of-band patch will be released for this vulnerability.

Attack Details: The attack has been dubbed by McAfee as “Aurora.”  It takes advantage of a null pointer reference present in Internet Explorer (IE) 6 and later.  This vulnerability can be exploited by a maliciously crafted website.  There is no user interaction required other than visiting such a site, so this exploit may be used with social engineering or phishing emails soon.

Countermeasures: Microsoft has not released a patch for this vulnerability at this time.  Running IE 7 or 8 on an operating system that supports Data Execution Prevention (DEP) should help mitigate the risks of this vulnerability.  Operating Systems with DEP include Windows XP SP 3, Windows Vista SP1 and beyond, and Windows 7.  Other mitigating factors are listed in the Microsoft Security Advisory.  Gladiator recommends that institutions consider the risks of running Internet Explorer for web browsing at this time, and encourages users to switch to a different web browser until Microsoft releases a patch for this vulnerability.

Reference Links:

Tags: , , , ,


Reader Comments

Sorry, comments are closed.