My next class:
Web App Penetration Testing and Ethical HackingAmsterdamMar 31st - Apr 5th 2025

0-day vulnerability in Internet Explorer 6, 7 and 8

Published: 2010-01-14. Last Updated: 2010-01-14 22:19:56 UTC
by Bojan Zdrnja (Version: 1)
3 comment(s)

Microsoft just published an advisory about a critical security vulnerability in all versions of Internet Explorer (apart from 5 – but no one has that around anymore, right?).

While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default. DEP makes exploitation of this vulnerability more difficult so as a temporary workaround you might want to enable it for older IEs (keep in mind that it might break some add-ons).

Microsoft says that so far they only saw exploits against Internet Explorer 6. In a related post (here) McAfee said that this vulnerability was (one of those) used to compromise Google. So, it appears that it was maybe even a cocktail of 0-day exploits used (IE + Adobe).

--
Bojan
INFIGO IS

Keywords: 0day internet explorer
3 comment(s)
My next class:
Web App Penetration Testing and Ethical HackingAmsterdamMar 31st - Apr 5th 2025

Comments

So if I were a bad guy, I'd post a malware laden website for Haitian donations, and exploit this latest IE vulnerability...but hey, what's the chances of somebody doing this, hah! Never happen right?

Don

Jan 15th 2010
1 decade ago

The exploit is live and in the wild. Here is a video of it being used via Metasploit:

http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

Prefect

Jan 16th 2010
1 decade ago

Firefox and NoScript more than handle this.
Interestingly enough, both France and Germany have recommended their citizens switch from IE to an alternative browser; it looks like tech guys aren't the only ones expecting a massive fallout over this.

computerfreaker

Jan 18th 2010
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives