Be advised! Hackers exploit new IE zero-day vulnerability

[RyanRed]

Attackers are exploiting a "zero-day" vulnerability in Microsoft's Internet Explorer (IE) and hijacking Windows PCs that cruise to malicious or compromised websites, security experts said today.

Microsoft confirmed the IE bug, saying, "We're aware of targeted attacks potentially affecting some versions of Internet Explorer," but did not set a timetable for fixing the flaw.

The unpatched bug in IE7, IE8 and IE9 can be leveraged in Windows XP, Vista and Windows 7, according to Rapid7, the security firm that also maintains the open-source Metasploit penetration-testing toolkit.

Read more here:

http://www.computerworld.com/s/article/9231367/Update_Hackers_exploit_new_IE_zero_day_vulnerability?taxonomyId=125

I just felt this should be brought to everyones attention. I strive for security, and wanted to pass this along. I hope was able to help someone

[finway]

Thanks for sharing.

[flatfly]

How can anyone still be running IE these days?

99% of common security issues (zero-days, drive-by downloads, etc) on Windows can actually be avoided pretty easily by running ANY other browser than IE and not using an admin account by default.

Also be very careful keeping up-to-date with (or outright disabling) Flash and Java
runtimes as these are the most common attack vectors.

[Gareth Nelson]

Windows is famous for bad security, so is IE - why on earth would anyone use the combination on a machine storing anything of value?

[RyanRed]

Im with you guys IE is crap. But Im sure some still use it, so I just wanted to bring this to peoples attention is all.

[WITRcenter]

Thanks for your information.

[rate5]

Im with you guys IE is crap. But Im sure some still use it, so I just wanted to bring this to peoples attention is all.

Without IE how are we going to use ActiveX technology? 

[niko]

Here is an interesting counter-point: IE iswas not vulnerable to CRIME attack; Firefox and Chrome arewere vulnerable until recently.

"Basically, the attacker is running a script on Evil.com," Rizzo explained to Kaspersky Labs' Threatpost. "He forces the browser to open requests to Bank.com by, for example, adding <img alt=""> tags with the src pointing to Bank.com. Each of those requests contains data from mixed sources."

Each encrypted request includes an image file name - a constantly changing detail that is generated by the malicious script; the browser's identification headers, which don't change; and the login cookie, the target of the attack. When the file name matches part of the login cookie, the size of the message drops because the compression algorithm removes this redundancy.

"The problem is that compression combines all those sources together," Rizzo added. "The attacker can sniff the packets and get the size of the requests that are sent. By changing the [file name] path, he could attempt to minimise the request size, ie: when the file name matches the cookie."

I don't use IE, but things are not black-and-white, especially not today. Don't base your views on years-old information.