The IE 0-day has been seen in a second type of attack as well and has apparently been integrated into the Elenore crimepack, meaning that everybody that pays their Elenore maintenance fees now gets access to this fresh IE 0-day. Microsoft maintains that DEP is effective against the attacks, so update to IE8 (which has DEP enabled by default) or change the DEP settings to include IE7. Microosoft has provided a Fix-it link for user to apply this change for IE7 automatically. IE6 cannot be protected by DEP and users of this old browser should migrate as soon as possible to a newer version.
Microsoft published an advisory warning of an 0-day vulnerability in Internet Explorer affecting versions 6,7 and 8. Data Execution Prevention (DEP), a security feature first implemented in 2005 currently prevents the exploit from executing successfully. IE8 users have DEP enabled by default and are protected. According to Microsoft, only a single website was found to host the exploit, but others are soon expected.
Upgrading to IE8 with DEP is highly recommended.
Last week Adobe acknowledged a 0-day flaw in their standalone Flash product and in the embedded Flash player in Adobe Reader. Exploits found in the wild are currently limited to PDF files. Adobe’s mitigation instructions are to delete the embedded Flash player and detailed steps are given for Windows, Mac OS X and Linux. Adobe will publish a fix for Flash this week and has given mid-November as a date for the Reader fix.
We will keep you updated as further news comes out.