Chaitanya Sharma, advisory team lead, Secunia
February 01, 2013
Threat of the month

Threat of the month: IE exploits

Threat of the month: pdf.exe.zip files
Threat of the month: pdf.exe.zip files

What is it?
A zero-day vulnerability that affects Internet Explorer (IE) versions 6, 7 and 8 can be exploited to compromise a user's system.

How does it work?
The vulnerability is caused by a use-after-free error when handling the “CDwnBindInfo” object and can be exploited to de-reference an already freed object in memory to gain control of the program flow. This allows executing arbitrary code on a user's system – with the user's privileges.

Should I be worried?
If users are running an affected version of IE, then they should show caution when visiting untrusted websites if their systems are not patched.

How can I prevent it?
Users are advised to upgrade to versions 9 or 10. Microsoft has also provided a temporary Fix-It solution, which prevents exploitation of this issue. A proper patch was not released in the January security update. However, Microsoft is working on the exploit and is expected to issue a fix soon.

From the February 2013 Issue of SCMagazine »
Related Articles
Related Topics

Sign up to our newsletters

More in Threat of the Month

Threat of the month: Java exploit

Threat of the month: Java exploit

This month's "threat of the month" features a Java exploit that affects versions 7 Update 17 and prior.

Threat of the month: pdf.exe.zip files

Threat of the month: pdf.exe.zip files

For our May issue's "threat of the month," we focused on pdf.exe.zip files, an old-style email executable attachment attack.

Threat of the month: Universal Plug and Play vulnerabilities

Threat of the month: Universal Plug and Play ...

April's "threat of the month" are Universal Plug and Play (UPnP) vulnerabilities, which allow attackers to execute arbitrary code.