Microsoft just released a bulletin reporting a vulnerability (CVE-2010-3962) affecting supported versions of its Internet Explorer browser 6, 7, and 8; which they are investigating and still has no solution patch.
The main threat that the vulnerability would allow is remote code execution.
Microsoft reports that they are aware of targeted attacks that attempt to exploit this vulnerability.
Symantec describes how attackers are exploiting this flaw in deceptive emails that are sent to infect victims' PCs. It is an attack that combines deception (social engineering) and vulnerability, to infect the victim's PC.
The Microsoft bulletin reports on ways to mitigate the threat posed by this vulnerability and workarounds to prevent exposure. Among the ways to mitigate the threat the bulletin lists:
- Avoid site CSS style by using user-defined CSS styles
- Using the EMET Toolkit
- Using DEP Protection for IE 7
- Read emails in text mode
- Set the Intranet and Internet zones to "High" security mode to block ActiveX controls and Active Scripting in those zones.
Official newsletter and Technet blog:
http://www.microsoft.com/technet/security/advisory/2458511.mspx
http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-advisory-2458511.aspx
Other sources: ZDNet,Cnet, Symantec
Raúl de la Redacción de Segu-Info
