Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IE6 and IE7 0-Day Reported

Published: 2009-11-22
Last Updated: 2009-11-22 03:58:31 UTC
by Marcus Sachs (Version: 3)
0 comment(s)

According to VUPEN security:

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

We have not verified this claim, but would like to know if any of our readers have.  Please use our contact form to reply, or add your comments below.

UPDATE 1:

Jack wrote to tell us that Symantec has verified the bug:

November 21, 2009 - "A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future... To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft."

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: 0day ie6 ie7 zero day
0 comment(s)
Diary Archives