Carsten Eiram, chief security specialist, Secunia
November 01, 2012
Threat of the month

IE exploits are the "Threat of the Month"

IE exploits are the "Threat of the Month"
IE exploits are the "Threat of the Month"

What is it?

A 0-day vulnerability that affects all supported versions of Internet Explorer and can be exploited to compromise a user's system.

How does it work?

The vulnerability is caused by a use-after-free error when handling the “execCommand” method and can be exploited to dereference an already freed CMshtmlEd object in memory to gain control of the program flow. This allows executing arbitrary code on a user's system with the user's privileges.

Should I be worried?

Users should show extreme caution when visiting untrusted web sites if their systems are not fully patched.

How can I prevent it?

Shortly after information on the 0-day was released, Microsoft confirmed the vulnerability via a security advisory and provided a temporary Fix-it solution. On Sept. 21, Microsoft released an out-of-band security bulletin, MS12-063, which addressed the 0-day vulnerability along with four other potential remote code execution bugs. 

From the November 2012 Issue of SCMagazine »
Related Articles
Related Topics
close

Next Article in Threat of the Month

Sign up to our newsletters

More in Threat of the Month

Threat of the month: IE exploits

Threat of the month: IE exploits

IE exploits, a zero-day vulnerability that affects various Internet Explorer versions, are February's "Threat of the month."

Threat of the month: Virtualized application vulnerabilities

Threat of the month: Virtualized application vulnerabilities

The first "Threat of the Month" for 2013 are virtualized application vulnerabilities.

Threat of the month: Natural disasters

Threat of the month: Natural disasters

Our threat of the month for December are natural disasters, which result in the loss of confidentiality, integrity, and availability of sensitive information.