Researchers have created attack code that exploits a zero-day vulnerability in Internet Explorer 7 (IE7) as well as in the newest IE8 -- even when Microsoft's
recommended defensive measure is turned on. … On Sunday, Dino Dai Zovi, a security vulnerability researcher…, crafted attack code that exploits the unpatched vulnerability in IE7 when it's running on either Windows XP or Windows Vista. … In fact, said Dai Zovi, even the newest IE8 isn't safe from attack if it's running on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to
manufacturing), the version Microsoft shipped in January 2007. Users can manually switch on DEP [data execution prevention] -- a move that Microsoft recommended in the security advisory it issued last week -- but without that tweak, most Windows users are open to attack, if not by the original exploit then by follow-ups
like Dai Zovi's. In fact, even DEP can be circumvented, a point the French firm Vupen Security made today. …
Although Vupen has created an exploit that works on IE8 with DEP enabled, it's not releasing the attack code to the public….
Date: 19 January2010