Microsoft Warns on IE 0-day, Provides Work-Around

Microsoft has issued a warning about a serious vulnerability in ALL versions of its Internet Explorer browser.  Surfing to a malicious or compromised webpage could allow attackers to take complete control of an unprotected computer.  Exploit code has already been published, though Microsoft has no evidence it is currently being used in the wild.  A workaround for the bug has been produced while Microsoft works on a permanent fix.  Although the company said it would patch the problem, it is not planning to rush out an emergency update.  It recommends the use of the Enhanced Mitigation Experience Toolkit.

The vulnerability in IE6, 7 & 8 surfaced several weeks ago when French security firm Vupen disclosed a flaw in IE’s HTML engine.  Tuesday, researchers posted a video demo of an attack, and added a reliable exploit to the Metasploit penetration testing toolkit that used a technique revealed earlier by McAfee researchers to defeat 2 important Windows defensive technologies.  ASLR (address space layout randomization) and DEP (data execution prevention).  The vulnerability involves the way that IE manages memory when processing Cascading Style Sheets, a widely used technology that defines the look and feel of webpages.

As vulnerabilities go, this is the most serious type.  It allows remote execution of code, meaning that the attacker can run programs such as malware, directly on the victim’s computer.  Take mitigating action.