Summary:
- This vulnerability affects: Internet Explorer 6 through 8 (9 and 10 are not affected)
- How an attacker exploits it: Usually, by enticing one of your users to visit a malicious web page
- Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
- What to do: Deploy the appropriate Internet Explorer patch immediately, or let Windows Automatic Update do it for you
Exposure:
In a previous post, we warned you of a zero day “use after free” vulnerability that affected Internet Explorer (IE) 6 through 8. By luring one of your users to a web site containing malicious code, a remote attacker could exploit the vulnerability to execute code on your computer, with your privileges As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer. At the time, Microsoft hadn’t fixed this newly discovered flaw, but had released a FixIt that could mitigate its risk.
This week, Microsoft released an out-of-cycle security bulletin containing a full patch for this issue. Attackers are still exploiting this flaw in the wild, so it poses a significant risk. If you use IE 6, 7, or 8, you should patch IE immediately.
Solution Path:
You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.
For All WatchGuard Users:
WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from this flaw.
Status:
Microsoft has released patches to fix these vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP.