[IS&T Security-FYI] Zero-day exploit for IE 7
Monique Yeaton
myeaton at MIT.EDU
Wed Dec 10 13:04:59 EST 2008
This zero-day threat for Internet Explorer 7 was brought to my
attention today by colleague Mike Halsall. (A zero-day attack or
threat is a computer threat that tries to exploit unknown, undisclosed
or patchfree computer application vulnerabilities.):
A critical flaw in Microsoft Internet Explorer 7 has been discovered
and is being actively exploited on the Internet. Yesterday's patch
release by Microsoft did not include fixes for this vulnerability, so
it may become more prevalent until a patch is released.
In order for the attack to work, a user would be coerced to visit a
site hosting malicious JavaScript that exploits the flaw, at which
point a malicious program, compromising the computer, is downloaded
and run.
This exploit only works on computers running Windows XP or 2003 that
are running IE 7, and not Windows Vista. Best practices apply in
order to avoid being compromised: don't click on links in emails from
untrusted sources and steer clear from untrusted web sites.
A good analysis of the exploit can be found here:
http://www.breakingpointsystems.com/community/blog/patch-tuesdays-and-drive-by-sundays
-Monique
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20081210/fa3ead51/attachment.htm
More information about the ist-security-fyi
mailing list