Login   |   Secure Purdue > News

Critical Unpatched Internet Explorer Issue

CRITICAL IE7 ISSUE.

STEAM-ADVISORY NO. 2008121201
PURDUE UNIVERSITY SECURITY TEAM CIRT
Friday December 12 09:30:00 EST 2008

**** NOTICE ****
An unpatched vulnerability exists in Internet Explorer 7 which may allow
an attacker to compromise a user's system simply by having the user
browse to a specially crafted web page. User's should be EXTREMELY
cautious while browsing the web with IE7 before a patch is released and
downloaded, and it is suggested that an alternate web browser be used.
This exploit has already been seen in active use in the the wild.
****************

==OVERVIEW==
A vulnerability has been discovered in Internet Explorer versions 6.x
and 7.x which may allow a malicious third party to compromise a user's
system and execute arbitrary code on the compromised host. This exploit
merely requires that a user browse to a malicious web page; it is not
necessary that the user download anything.

==SYSTEMS AFFECTED==
Windows XP
Windows Vista
Windows 2000
Windows Server 2008

==DETAILS==
The vulnerability is caused by a "use-after-free error" which occurs
when composed HTML elements are bound to the same data source. This can
be used to dereference freed memory and lead to the execution of
arbitrary code.


==SOLUTIONS==
As of 12/11/2008 there is NO PATCH for this vulnerability. According to
Secunia, the only listed solution is "Do not browse to untrusted
websites or follow untrusted links". Until this vulnerability is
patched, IE7 users should be EXTREMELY cautious while browsing and
should consider using an alternate web browser if they are able.


==FURTHER INFORMATION AND RESOURCES==

secunia.com/advisories/33089/
isc.sans.org/diary.html?storyid=5458


==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:
 itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
 http://www.purdue.edu/securePurdue/incidentReportForm.cfm

http://www.purdue.edu/securepurdue/steam

--
STEAM-CIRT
Purdue University
abuse@purdue.edu

Posted by William Davis on December 12, 2008, in Advisory Alerts.