Zero-day exploit hits Internet Explorer 8
BitDefender issues emergency update to block malicious code execution on targeted systems
Australia & New Zealand – January 18, 2010 – BitDefender®, an award-winning provider of innovative anti-malware security solutions, today warns of a critical zero-day exploit targeting Internet Explorer. BitDefender has issued an emergency update that intercepts and blocks the malicious code before it impacts the targeted system.
The Internet Explorer zero-day exploit, also known as CVE-2010-0249, takes advantage of a memory corruption vulnerability affecting all versions of Internet Explorer with the exception of Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000. According to preliminary reports, this vulnerability has already been used in targeted attacks against 34 major corporations, including Google and Adobe.
The exploit tricks Internet Explorer into allowing remote code execution, by accessing an invalid pointer after an object is deleted. An attacker may use email spam, social networking spam, or any other means of mass distribution to lure users into visiting the compromised resource. As soon as the document is processed, the malicious code injected into it would run in the context of the current user and would likely compromise the system. If the exploit fails, the attack would then trigger a denial-of-service condition.