Zero-day flaw affects three versions of Internet Explorer, as Microsoft warns of activity in the wild. Microsoft has issued an advisory about a zero-day flaw in three versions of Internet Explorer. It said the vulnerability is present in versions 6,7 and 8 of Explorer and could allow remote code execution. It is currently investigating public reports around it. Microsoft said the vulnerability exists due to an invalid flag reference within Internet Explorer, and under certain conditions it is possible for the invalid flag reference to be accessed after an object is deleted.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page, which is used to exploit this vulnerability and in addition, compromised Web sites and ones that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. The CTO of Qualys, said: “Data Execution Prevention (DEP), a security feature first implemented in 2005, currently prevents the exploit from executing successfully. IE8 users have DEP enabled by default and are protected and according to Microsoft, only a single Web site was found to host the exploit, but others are soon expected. Upgrading to IE8 with DEP is highly recommended.”
Source: http://www.scmagazineuk.com/zero-day-flaw-affects-three-versions-ofinternet-%20explorer-as-microsoft-warns-of-activity-in-the-wild/article/190131/
No comments:
Post a Comment