0-day Vulnerabilities for Internet Explorer and Flash/Reader
Last updated on: September 7, 2020
Microsoft published an advisory warning of an 0-day vulnerability in Internet Explorer affecting versions 6,7 and 8. Data Execution Prevention (DEP), a security feature first implemented in 2005 currently prevents the exploit from executing successfully. IE8 users have DEP enabled by default and are protected. According to Microsoft, only a single website was found to host the exploit, but others are soon expected.
Upgrading to IE8 with DEP is highly recommended.
Last week Adobe acknowledged a 0-day flaw in their standalone Flash product and in the embedded Flash player in Adobe Reader. Exploits found in the wild are currently limited to PDF files. Adobe’s mitigation instructions are to delete the embedded Flash player and detailed steps are given for Windows, Mac OS X and Linux. Adobe will publish a fix for Flash this week and has given mid-November as a date for the Reader fix.
We will keep you updated as further news comes out.
References:
- SRD Blog entry from Microsoft
- PDF malware details at Contagio