Merry Christmas and a Happy New 0-Day

Well, work is winding down for the festive season and bellies are being prepared for several days of abuse. Maybe we should be preparing our computers for equal amounts of abuse if we use Internet Explorer right now…
 

My freshly built Snowlady, Frostenia
 
Firstly, I want to take this opportunity to wish all the Countermeasures readers all the best for this holiday period and wish that the very best thing that happened to you in the last year is the worst that hapens in the next! And to take one worry off your mind, in the absence of a patch for the new
Microsoft Internet Explorer 0-day vulnerability, keep yourselves safe this season by installing the free tool Browser Guard 2010 which already offered protection against this exploit before it was even known.
 
The vulnerability certainly looks serious, affecting all supported versions of Internet Explorer on all supported versions of Windows, including Windows 7, Vista and XP. As vulnerabilities go, this kind is of the most worrying as it allows remote execution of code, meaning the attacker can run programs (such as malware) directly on the victim computer. It also bypasses to key security mechanisms put in place to protect against this kind of exploit, namely Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR).
 
The Microsoft advisory recommends that users set their Internet and Local Intranet security zones to “High” but have not yet said if they plan to release an out of band patch. The exploit code for this vulnerability has already been made public and already incorporated in the metasploit toolkit and we expect to see widespread criminal exploitation of this vulnerability.
 
This vulnerability is highly reminiscent of a vulnerability at the same time two years ago which prompted several national governments to warn against using IE and to switch to an alternative browser. For my point of view on that debate, have a gander at this blog posting.

One thought on “Merry Christmas and a Happy New 0-Day

  1. Pingback: Tweets that mention Merry Christmas and a Happy New 0-Day » CounterMeasures -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>