No replies to this topic

[Dan]

Yeah, yeah, I know, more Internet Explorer vulnerabilities, so what's new?

Well, one of them is a newer exploit that was just recently patched, but the other is a Zero day (new exploit w/ no security patch available), and rumor has it that it is a "State Sponsored" (Pick a non-ally country that hates us) vulnerability:

CVE-2012-1889: MSXML Uninitialized Memory Corruption - This is an uninitialized memory bug found in MSXML. According to Microsoft, such a component can be loaded from either Internet Explorer and Microsoft Office. This vulnerability is rumored to be "state-sponsored", and what makes it really critical is it's still an 0-day hijacking Gmail accounts. That's right, that means if you're using Gmail as well as Internet Explorer or Microsoft Office, you're at risk. We expect this vulnerability to grow even more dangerous since there's no patch, and it's rather easy to trigger.

Though Microsoft has released some stop gap measures to deal with this, there is no word on when a patch will be available. Security experts are recommending using a different browser until a patch is released.

Exploit code for both have been released publicly and Metasploit has already created exploit modules for both and added them to their framework. So if you are familiar with the Metasploit platform you can use it to test your systems to see if they are vulnerable or not.