Severity: High
10 February, 2009
Summary:
- This vulnerability affects: Internet Explorer 7 and earlier versions
- How an attacker exploits it: By enticing one of your users to visit a malicious web page or link
- Impact: In the worst case, the attacker can execute code on your user's computer, gaining complete control of it
- What to do: Deploy the appropriate Internet Explorer patches immediately
Exposure:
In a security bulletin released today as part of its monthly patch update, Microsoft describes two vulnerabilities in Internet Explorer (IE) 7.0. These flaws may also affect IE 5.x and 6.x; however, Microsoft no longer supports those versions.
Though they differ technically, both vulnerabilities share the same general characteristics: IE doesn't properly handle certain HTML objects or elements, which causes memory corruption. By luring one of your users into visiting a maliciously crafted web page, an attacker can exploit either of these memory corruption vulnerabilities to execute code on that user's computer, inheriting that user's privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could gain complete control of the victim's computer.
In addition to fixing these two newly announced flaws, today's Internet Explorer patch also fixes all previously known flaws.
Solution Path:
These patches fix serious issues. You should download, test, and deploy the appropriate IE patches as soon as possible.
- Internet Explorer 7.0
Note: While these flaws may also affect older versions of IE, Microsoft currently only supports IE 7.0. If you use an older version, you should upgrade to 7.0, then apply this patch.
Status:
Microsoft has released patches to fix these vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP.
No comments:
Post a Comment