|
|
It appears that the targeted organisations (and Thakur said there "more than a few") generally weren't using IE 6 or 7, or they had already implemented mitigations such as DEP. Analysis of the log files from the compromised server showed that "very few" visitors had accessed the payload file. "We are not aware of any affected customers," said Jerry Bryant, group manager, response communications at Microsoft's trustworthy computing group.
The vulnerability itself involves CSS handling. It turns out that when faced with a certain combination of CSS tags, IE allocates insufficient memory to store them, potentially allowing the partial overwriting of a pointer. This situation is potentially exploitable using a heap spray attack.
According to the Microsoft Security Response Center engineering team, DEP blocks this type of attack, and attempts to circumvent it will be "highly unreliable (i.e. causing IE to crash)," particularly on systems supporting ASLR (address space layout randomisation).
Further protection against the vulnerability can be gained by applying a custom CSS. Instructions can be found in the advisory (see 'Workarounds').
Microsoft is developing a security update to dix the vulnerability, and it will apparently be released on a subsequent Patch Tuesday: "The issue does not meet the criteria for an out-of-band release," said Bryant.
