Researchers at Symantec have reported the discovery of an unpatched vulnerability that impacts Internet Explorer versions 6, 7, and 8 running under Windows. Microsoft has released a security advisory confirming the vulnerability but currently has no plans to release an out-of-band update.
The exploit was delivered via targeted email that contained a link to a single compromised website (all malicious files have since been removed).
According to Microsoft, the vulnerability exists because "Internet Explorer incorrectly under-allocates memory to store a certain combination of Cascading Style Sheets (CSS) tags when parsing HTML. This could result in an overwrite of the least significant byte of a vtable pointer. An attacker able to spray memory with a specific pattern could potentially execute code in the context of the process parsing the HTML."
Heap spray attacks can be mitigated by enabling Data Execution Prevention (DEP). By default, DEP is enabled in Internet Explorer v8. To enable DEP in Internet Explorer v6 and v7, refer to the links below:
Niciun comentariu:
Trimiteți un comentariu