Wolfgang Kandek. CTO Qualys: 0-day Vulnerabilties for Internet Explorer and Flash/Reader
November 2010 by Wolfgang Kandek, CTO Qualys
Microsoft published an advisory warning of an 0-day vulnerability in Internet Explorer affecting versions 6,7 and 8. Data Execution Prevention (DEP), a security feature first implemented in 2005 currently prevents the exploit from executing successfully. IE8 users have DEP enabled by default and are protected. According to Microsoft, only a single website was found to host the exploit, but others are soon expected.
Upgrading to IE8 with DEP is highly recommended.
Last week Adobe acknowledged a 0-day flaw in their standalone Flash product and in the embedded Flash player in Adobe Reader. Exploits found in the wild are currently limited to PDF files. Adobe’s mitigation instructions are to delete the embedded Flash player and detailed steps are given for Windows, Mac OS X and Linux. Adobe will publish a fix for Flash this week and has given mid-November as a date for the Reader fix.
We will keep you updated as further news comes out.
SRD Blog entry from Microsoft
PDF malware details at Contagio