User advisory on Microsoft IE Zero-Day Vulnerability and Exploit

03 Dec

A proof-of-concept exploit was recently discovered that targets a zero-day vulnerability in Internet Explorer. Symantec Security Response has confirmed that the exploit affects both IE 6 and 7 on Windows XP and Vista platforms, but there are possibilities that other versions of IE and Windows may also be affected.

For the attacker to launch a successful attack, they need to lure the victim to a malicious Web page or website they have compromised. The exploit also requires JavaScript to exploit Internet Explorer. The exploit targets a vulnerability in the way IE uses the Cascading Style Sheets (CSS) information. CSS is used in many Web pages to define the presentation of the site’s content.

Mitigation for consumer users:

· To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit websites they trust until fixes are available from Microsoft.

Mitigation for enterprise users:

· Run all software as a non-privileged user with minimal access rights

· Deploy network intrusion detection systems to monitor network traffic for malicious activity

· Do not follow links provided by unknown or untrusted sources

· Set web browser security to disable the execution of script code or active content

· Implement multiple redundant layers of security

The exploit in its current form exhibits inconsistent behavior in tests conducted by the Response team, however a fully-functional exploit can be expected to follow, therefore new signatures specifically for this exploit are also being created. Symantec detects the exploit with the Bloodhound.Exploit.129 signature, HTTP Microsoft IE Generic Heap Spray BO and HTTP Malicious JavaScript Heap Spray BO IPS signatures.

Leave a comment

Posted by on December 3, 2009 in Symantec


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: