Qualys Blog

www.qualys.com
wkandek

New IE 0-day vulnerability

Microsoft acknowledged a new 0-day vulnerability in Internet Explorer in advisory 2488013. The vulnerability requires the targeted user to access a website where the attacker has placed a maliciously formatted CSS file, typical for browser based attacks.

The vulnerability, now associated with CVE-2010-3971 was documented first on the site wooyun.org on Nov, 29th, then appeared on Dec, 8th on the Full Disclosure list and VUPEN had an advisory opened on Dec, 9th. Nephi Johnson wrote a technical brief that provides a detailed, step-by-step analysis of the components involved.

Exploits for the vulnerability are available, including one for the popular exploit framework Metasploit, so we can be certain to see widespread attacks on this vulnerability.

Microsoft has a suggested workaround in the advisory, requiring the installation and configuration of the EMET 2.0 toolkit, which technical users could do by themselves, but which should be well tested before wide deployment.

Leave a Reply