Summary:
- Zero day vulnerability in mshtml.dll used by Internet Explorer 6, 7, 8 and 9, and many other products.
- Resolution: Deploy EMET or stop using IE and other products using mshtml.dll until Microsoft delivers a patch.
Earlier this week a zero-day vulnerability in the mshtml.dll was made public. This DLL is used by almost all Internet Explorer versions (6-9 are vulnerable) and many other software products (almost anything from Microsoft and a lot of 3rd party software that displays a web page on Windows).
While Microsoft is building a fix that is to be released very soon now (probably tomorrow, Friday September 21st 2010), the official resolutions are not to use the mshtml.dll at all (impractical for many people), or deploy EMET (impractical too as it requires administrative privileges).
If you can, switch to a browser that uses a different layout engine than mshtml.dll (for instance browsers based on WebKit will do).
These pages are good starting points for more information:
- CVE – CVE-2012-4969 (under review).
- Microsoft Offers Guidance for Internet Explorer Zero-Day | SecurityWeek.Com.
Particularly interesting posts:
- Zero-Day Season Is Really Not Over Yet.
- Microsoft Internet Explorer execCommand Vulnerability Metasploit Demo.
- Microsoft Offers Guidance for Internet Explorer Zero-Day | SecurityWeek.Com.
- Microsoft to release emergency Internet Explorer patch tomorrow – SC Magazine UK.
–jeroen
Filed under: Internet Explorer, Power User, Web Browsers, Windows, Windows 7, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP Tagged: execcommand, internet explorer patch, internet explorer versions, layout engine, party software, software, software products, technology, zero day
