More on the IE exploit

Microsoft says Internet Explorer 5.01, 6 and 8 (beta) are also potentially susceptible to the zero-day exploit, published recently. Until now it had been assumed that only Internet Explorer 7 contained the vulnerability. Microsoft recommends that Data Execution Prevention (DEP) and memory protection be enabled in Internet Explorer 7 (Tools/Internet Options/Advanced/Enable memory protection…), but this can only be done in the browser itself in the 32-bit version of Vista. In the 64-bit version of Vista, DEP is automatically globally enabled. Configuring this option via browser settings is not a possibility under Windows XP. Instead, users have to activate DEP for the complete system via System/Advanced/Performance/Settings/Data Execution Prevention.

What’s scary though is that a recent Metasploit module completely evades the DEP function – so much for that … the exploit appears to be introduced to web servers through SQL injection and then made available to visiting users. Moral of the story, stick to Opera or Firefox – both seem to be immune to a large portion of IE vulnerabilities.


Comments

One response to “More on the IE exploit”

  1. I did my part as a good netizen.
    1. First have been using Firefox for a long long time.
    2. Immediately informed my colleagues and friends about it. Now, whether they would care or not is upto them.