[IS&T Security-FYI] Zero-day exploit for IE 7

[Monique Yeaton]

This zero-day threat for Internet Explorer 7 was brought to my  
attention today by colleague Mike Halsall. (A zero-day attack or  
threat is a computer threat that tries to exploit unknown, undisclosed  
or patchfree computer application vulnerabilities.):

A critical flaw in Microsoft Internet Explorer 7 has been discovered  
and is being actively exploited on the Internet.  Yesterday's patch  
release by Microsoft did not include fixes for this vulnerability, so  
it may become more prevalent until a patch is released.

In order for the attack to work, a user would be coerced to visit a  
site hosting malicious JavaScript that exploits the flaw, at which  
point a malicious program, compromising the computer, is downloaded  
and run.

This exploit only works on computers running Windows XP or 2003 that  
are running IE 7, and not Windows Vista.  Best practices apply in  
order to avoid being compromised:  don't click on links in emails from  
untrusted sources and steer clear from untrusted web sites.

A good analysis of the exploit can be found here:

http://www.breakingpointsystems.com/community/blog/patch-tuesdays-and-drive-by-sundays


-Monique

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20081210/fa3ead51/attachment.htm