MA-202.112009: MyCERT Alert - Critical Vulnerability in Microsoft Internet Explorer

1.0 Introduction

A critical vulnerability has been identified in Microsoft Internet Explorer web browser. The vulnerability, if successfully exploited will cause the application to crash and could potentially allow an attacker to take control of the affected system.

Essentially, an attacker can trick unsuspecting users into clicking on a URL that will take them to a specially crafted Web page containing the exploit.

MyCERT is aware that a '0-day' exploit is available on the internet at the time of the publication of this advisory.

2.0 Impact

An attacker who has successfully exploited this vulnerability could execute code remotely and gain the same privilege as the user. Unsuccessful attack may cause denial-of-service outcomes.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Microsoft Internet Explorer 6
• Microsoft Internet Explorer 6 Service Pack 1
• Microsoft Internet Explorer 7

4.0 Recommendation

As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However users can use the following step as a temporary workaround if they need to use Microsoft Internet Explorer:

4.1 Update to Internet Explorer 8. Internet Explorer 8 can be obtained from the following URL:

http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx

4.2 Users who are not able to update to Internet Explorer 8 are advised to disable JavaScript. Active script can be disables by referring to the following steps:

• On the Tools menu, click Internet Options
  
  
  
  
• Click the Security tab, choose Internet zone and click on Custom Level
  
  
  
  
• Disable the Active Scripting and click OK
  
  

4.3 Do not to browse untrusted websites or click on untrusted links.

4.4 Browse the Internet with least privilege user to limit the execution of the malicious file.

4.5 Consider using alternative web browsers to browse the Internet. Please make sure you use the latest version and stay up-to-date as well.

MyCERT would like to advise the users of Microsoft Internet Explorer to be vigilant of the latest security announcements by Microsoft and ensure that they automatically update the operating systems. Article on how to enable the auto update feature can be obtained from the following URL:

• http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:

• http://secunia.com/vulnerability_scanning/personal/

MyCERT can be reached through the following channels for further assistance:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web :http://www.mycert.org.my

5.0 References

• http://www.securityfocus.com/bid/37085
• http://www.symantec.com/connect/blogs/zero-day-internet-explorer-exploit-published
• http://vupen.com/english/advisories/2009/3301