Blog sur la sécurité [EN]

Microsoft advisory: http://www.microsoft.com/technet/security/advisory/979352.mspx

This security flaw, which was revealed about a week ago, is a threat that we follow closely. As of this writing we and others have seen a limited number of in-the-wild attacks using this. Some of these attacks were quite serious, affecting large targets like Google and Adobe (http://threatpost.com/en_us/blogs/inside-aurora-malware-011910).

The various virus scanners from Norman detect the known malwares that are installed by these. However, there are no guarantees, as it is always possible to create malware to be undetectable for a limited time window.

Attacks through this vulnerability is possible on:

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6,
Internet Explorer 7,
Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

The vulnerability is script-based, and occurs when trying to access an HTML object which has been deleted. This causes an error that can be exploited to run unauthorized code.

Mitigation

Some level of protection is gained by having Data Execution Prevention (DEP) active. DEP is enabled by default on Internet Explorer 8 on Windows XP Service Pack 3, Internet Explorer 8 on Windows Vista Service Pack 1 and later, Internet Explorer 8 on Windows Server 2008, and Internet Explorer 8 on Windows 7. DEP on Windows XP SP2 and Windows Vista RTM can be enabled with a tool downloadable from this site: http://blogs.technet.com/srd/archive/2010/01/18/additional-information-about-dep-and-the-internet-explorer-0day-vulnerability.aspx

Further mitigation is to turn off Active Scripting in the Internet and Local Intranet security zone, and setting the Internet zone security setting to “high”.

Microsoft has stated that they will release an Out-Of-Band release to fix this problem as soon at the patch has been tested properly.