IE iepeers.dll Use-After-Free Vulnerability
It's a zero-day vulnerability that surfaced in March in Internet Explorer (IE). It is caused by a “use-after-free” error within iepeers.dll – a core component of IE.
How does it work?
The error occurs when calling the “setAttribute()” method for an object having the “userData” behavior applied via the “#default#userData” behavior parameter, which is used for maintaining specific information across HTML sessions by saving it to a UserData store.
Should I be worried?
Yes, if using Internet Explorer 6 or 7. Users of IE 8 are not affected.
How can I prevent it?
Microsoft, fortunately, released an out-of-band security update (i.e., a patch release not scheduled for the usual second Tuesday of the month) in April to address the vulnerability. This update also fixes nine other vulnerabilities in various versions of the browser, so users should ensure that the latest patches are applied.
— Carsten Eiram, chief security specialist, Secunia
From the - May 2010 Issue of SCMagazine »