Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - The IE saga continues, out-of-cycle patch coming soon InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The IE saga continues, out-of-cycle patch coming soon

Published: 2010-01-19
Last Updated: 2010-01-19 20:10:13 UTC
by Jim Clausing (Version: 1)
0 comment(s)

 No, there still isn't a patch, but there will be one before the regular Microsoft patch day in February.  The MSRC has posted a note on their blog saying the timing will be announced tomorrow.  In the meantime, we are hearing that the folks at VUPEN have found a way to bypass DEP as long as javascript is enabled (no, this doesn't appear to be the .NET ones from last year) which would make even IE8 vulnerable, we don't have the details at present, but if true this is a major development.  This is a concern since Microsoft's advice is for those using IE6 and IE7 to move to IE8 where DEP is on by default.  In any event, we continue to monitor the situation.

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

Keywords: CVE20100249 IE
0 comment(s)
Diary Archives