IE iepeers.dll Use-After-Free Vulnerability

Share this article:
What is it?
It's a zero-day vulnerability that surfaced in March in Internet Explorer (IE). It is caused by a “use-after-free” error within iepeers.dll – a core component of IE.

How does it work?
The error occurs when calling the “setAttribute()” method for an object having the “userData” behavior applied via the “#default#userData” behavior parameter, which is used for maintaining specific information across HTML sessions by saving it to a UserData store.

Should I be worried?
Yes, if using Internet Explorer 6 or 7. Users of IE 8 are not affected.

How can I prevent it?
Microsoft, fortunately, released an out-of-band security update (i.e., a patch release not scheduled for the usual second Tuesday of the month) in April to address the vulnerability. This update also fixes nine other vulnerabilities in various versions of the browser, so users should ensure that the latest patches are applied.

— Carsten Eiram, chief security specialist, Secunia
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Opinions

Sign up to our newsletters

TOP COMMENTS