IE zero-day

What is it?

An unpatched vulnerability in Microsoft Internet Explorer is currently being actively exploited. The vulnerability was initially reported via public mailing lists as a browser crash (DoS). However, it was quickly determined by various researchers, including internally at Secunia, that the vulnerability allows execution of arbitrary code on a user's system when viewing a specially crafted web page.

How does it work?
Internet Explorer supports CSS style sheets, which may be included via an @import CSS command. However, a use-after-free error within mshtml.dll when handling recursive CSS style sheet references (i.e., when a CSS style sheet references itself) can be exploited to de-reference already-freed memory in a manner that makes it possible to gain control of the program flow.

How can I prevent it?
Microsoft has yet to patch. However, in the meantime, a temporary Microsoft FixIt solution has been made available. This implements a check in mshtml.dll to prevent recursive loading of CSS style sheets.

Source: Carsten Eiram, chief security specialist, Secunia

THREAT OF THE MONTH

IE zero-day

Related

Google patches critical type-confusion flaw in Chrome browser

Global cyber incident detection capabilities improve

Palo Alto Networks firewall bug affects Siemens industrial platform

Related Events

Exposure management: How organizations can use it to build cyber resilience

Vulnerability management: Finding and fixing fatal flaws

Reducing silos between Developers and AppSec in your Software Supply Chain with Snyk and ServiceNow

Get daily email updates