Published: November 23 2009, 11:20 PM
by Methusela Cebrian Ferrer

If attackers take advantage of known vulnerabilities to deploy browser-based attacks, how much more for a zero day?

Exploit code has been released for this critical Windows IE 7 and IE 6 vulnerability, as published last Friday through Bugtrack mailing list.  

Anaysis of the proof-of-concept code shows an attack that could cause memory corruption error in Microsoft HTML viewer (mshtml.dll) when the browser handles a specially-crafted internal style sheet  (CSS/STYLE) object via document.getElementsByTagName() method.  As a result, successful exploitation could crash the affected browser or enable remote attacker to execute arbitrary code.

Unless Microsoft releases an out-of-band security update, we can’t expect quick fix until the next patch cycle which is on the 8th of December.

Bottom line here is that these attacks require JavaScript to execute its malicious code, so disabling JavaScript in IE7 and IE6 is highly recommended. However, a better option is to upgrade your browser to IE 8 - this is not vulnerable.

Be informed and stay safe.

Share this post:  Email

Share