Microsoft has Released a Security Advisory and Mitigation for a New Un-Patched Vulnerability affecting Internet Explorer. The Vulnerability stems from an Invalid Pointer Reference within Internet Explorer. Attackers could Exploit the issue Remotely to Execute Arbitrary Code with the Privileges of the User that is Running the Vulnerable Browser.
Microsoft Security Advisory (979352):
Vulnerability in Internet Explorer Could Allow Remote Code Execution:
http://www.microsoft.com/technet/security/advisory/979352.mspx.
Security Advisory 979352 Released:
http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx.
On January 14, 2010 , the Metasploit Exploitation Framework added an Exploit for the Bug that would allow an Attacker to gain Control of the System. Availability of this Exploit will increase the chance of In-The-Wild Exploitation of this Issue.
Re-Producing the "Aurora" I.E. Exploit:
http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html.
Internet Explorer C.V.E.-2010-0249 Remote Code Execution Vulnerability:
http://www.securityfocus.com/bid/37815.
[edit: Fixed posting error.]
An I.D.S. Signature has just been Released for this Vulnerability; please Run Norton LiveUpdate to get this Signature. (20100116.002; 20100116.001)
Just the other day, news of an exploit used to target a 0-day vulnerability in Internet Explorer (BID 37815) was announced. According to Microsoft, the vulnerability affects Internet Explorer 6, 7, and 8 which make up a bulk of the versions used today. Reports, however, have confirmed only Internet Explorer 6 has been targeted so far and the exploit has only been seen in targeted attacks.
You can read the rest of this Blog here: Protect yourself against Exploit targeting new I.E. 0-Day Vulnerability.
Microsoft has announced that they will be Releasing an Out-Of-Band Patch to address this issue. The Release Date for the Patch will be announced tomorrow (Wednesday, January 20, 2010).
Security Advisory 979352 - Going Out-Of-Band: http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx.
Microsoft has released Patches to address eight Vulnerabilities affecting Internet Explorer on Thursday, January 21, 2010. One of these issues is being Exploited in-the-Wild in Targeted Attacks. Customers are strongly advised to install the Patches as soon as possible.
Microsoft Security Bulletin M.S.10-002 - Critical:
Cumulative Security Update for Internet Explorer (978207):
http://www.microsoft.com/technet/security/Bulletin/MS10-002.mspx.
Hi Floating_Red,
Thanks for the ALL the information on this subject.I got my PATCHES today,once again a BIG THANKS for keeping us up to date with this issue.
Stoneheart
Hi, stoneheart,
Thank-You for your kind response. Glad I could be of such service to the Norton Community up-to-date with this issue, and other issues as well. Once again, thank-you for your Reply in letting me know that the information I provided has been of use to you.
Microsoft has released Updates to address this issue on March 30, 2010; more details are available here: Out-Of-Band Microsoft "Patch Tuesday" - March 2010. Install all Updates as soon as possible.
Microsoft has released a Knowledge Base Article (KB 981374) announcing a new and Un-Patched Vulnerability affecting Internet Explorer 6, Service Pack 1, on Microsoft Windows 2000, Service Pack 4, Internet Explorer 6, and Internet Explorer 7. Microsoft reports that Internet Explorer 8 and Internet Explorer 5.01, Service Pack 4, on Microsoft Windows 2000, Service Pack 4 are Not Affected by this issue. This Vulnerability is being exploited in Targeted Attacks In-The-Wild.
Microsoft Security Advisory (981374):
Vulnerability in Internet Explorer Could Allow Remote Code Execution:
http://www.microsoft.com/technet/security/advisory/981374.mspx.
This Vulnerability is being Tracked with the following Vulnerability Database Entry:
Microsoft Internet Explorer C.V.E.-2010-0806 Remote-Code Execution Vulnerability:
http://www.securityfocus.com/bid/38615.