Microsoft investigates unpatched IE vulnerability, exploit that bypasses ASLR and DEP on Windows 7
By Gregg Keizer
December 22, 2010 06:43 AM ET
Computerworld - Security researchers have released attack code that exploits an unpatched bug in Microsoft's Internet Explorer (IE) and sidesteps defenses baked into Windows 7.
Microsoft said it was looking into the vulnerability.
"Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer," said Dave Forstrom, the director of Microsoft's Trustworthy Computing group, in statement. "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."
The bug first surfaced earlier this month when French security firm Vupen announced it had uncovered a flaw in IE's HTML engine that could be exploited when the browser processed a CSS (Cascading Style Sheets) file that included "@import" rules. The @import rules let Web designers add external style sheets to an existing HTML document.
Unlike some other recent IE bugs, this one can be exploited on the newest browser, IE8, running on Microsoft's newest OS, Windows 7, by defeating the latter's DEP (data execution prevention) and ASLR (address space layout randomization) anti-exploit defenses.
- Posts : 21
Join date : 2010-07-28
I've seen some samples of code. Yes, it's impressive. Even DEP, ASLR and other over-hiped 'security' solutions are powerless against it, but I've finally decided to ignore such articles. Security researchers tend to reveal too much for comfort if you ask me, and mostly for self-serving purposes. Marcus Ranum wrote a nice rant about it: The motives behind vulnerability disclosureDarthTrader wrote:Researchers reveal attack code for new IE zero-day
- Valued Member
- Posts : 211
Join date : 2010-12-14
Permissions in this forum:You cannot reply to topics in this forum