|
Microsoft has published a TechNet article detailing the availability of a "FixIt" for the current IE9/IE10 zero day which has been doing the rounds. Corporate users will presumably have to wait until the availability of the patch which Microsoft say will be released during the monthly patching cycle.
Microsoft released Advisory 2934088 : https://technet.microsoft.com/en-us/security/advisory/2934088 Thanks to one of our regulars, and Swa for the overnight heads-up.
Steve Hall ISC Handler |
Stephen 89 Posts Feb 20th 2014 |
| Thread locked Subscribe |
Feb 20th 2014 8 years ago |
|
> The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.
It's sad that Internet Explorer does not take a few micro-seconds to write "zero" bytes over the range of memory that is to be "deleted", so that any "use-after-free" attempts will never find any "useful" data-values in that range of addresses. One IBM mainframe operating system that has been creating virtual-machines for over 30 years has a "page-free" interface -- a VM cooperatively telling the hypervisor that a "page" (4Kbytes) of memory has been "forfeited". The hypervisor can react by excluding that page from any RAM-management (no need to "page-out" that block to a swap-disk-drive -- and the next requester of that page of "real" RAM will get a zero'd-out block). |
Anonymous |
| Quote |
Feb 26th 2014 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
