IE 0-day Update

Wolfgang Kandek

Hi this is Richie again with some updates:

Internally we do not think of the IE 0-day that was released last week isn’t something that is new or unique. Every couple of months a new exploit for a critical vulnerability is discovered in the browser space and all major browsers see their share. Exploits of these types are commonly used in targeted attacks ("spear-phisihing") against corporations. What is new is that the affected organizations are coming forward with information on the attacks – a positive trend that we encourage and hope will continue.

Technically, the attack was focused on the browser/OS combination IE6 and Windows XP, both close to 10 years old and near end of life. Microsoft has put a lot of work into increasing attack mitigation and surface hardening that reduces the risk of successful exploitation on newer versions of the Windows Operating System (Vista, Windows 2008, Windows 7). In general users should upgrade to a modern OS/Browser combination, at minimum the browser should be updated to IE8 or another modern browser.

As of now, the attacks are limited to a small target population and we have not seen widespread use of the exploit. We expect that to change in the coming days since details of the vulnerability have been made publicly available. Microsoft has released a Fix-It which will turn on DEP for IE and help mitigate the attack. However there is active research going on to bypass the DEP measure and its effectiveness could be limited.

Further Microsoft has indicated that they will release an out-of-band patch for this issue soon. We will keep you updated with new developments as they arise.

Richie Lai
Director of Vulnerability Research, Qualys, Inc.

Share your Comments


Your email address will not be published.