A mere 10 days after acknowledging the SMB flaw in Windows 7, the Microsoft Security Response Center (MSRC) released a new security advisory for new critical 0-day in Internet Explorer 6 and 7 as KB977981. A Proof of Concept for the 0-day was published on bugtraq on Friday, but it is not fully reliable against all combinations of browsers and OSs. Attackers are currently working on improvements to the exploit and we are expecting to see new versions soon.
The advisory proposes several work-arounds, but all of them result in restricted usability of the browser. As Internet Explorer 8 (and IE5….) is not affected for consumers the best option is to upgrade to IE8 or alternatively switch to another product. For enterprise customers IDS/IPS vendors and secure web gateways are able to deliver a degree of protection against the known exploits.
Qualys tracks this new 0-day under QID 90570