New IE exploit – a good opportunity to upgrade to IE 8?

Over the weekend the details of a new Internet Explorer vulnerability were posted online (as reported here and here). By crafting a malicious web page attackers are able to exploit the vulnerability and trigger remote code execution, making it possible to infect victims simply by directing them to a rogue web page. The vulnerability exists in the HTML viewer when attempting to retrieve cascading stylesheet (CSS) information via the getElementsByTagName() Javascript method.

The proof of concept code is pro-actively detected as Mal/JSShell-B.

Further details (and mitigation steps for IE7 users) can be found in the Microsoft security advisory for this vulnerability (CVE-2009-3762).

At the time of writing we are not aware of this vulnerability being actively exploited in attacks. However, it is likely to be just a matter of time before it is. Users should ensure adequate web security is in place (content scanning and URL filtering).

Internet Explorer users should read the mitigation steps (for IE7) in the Microsoft advisory. On the other hand, a more future proof solution may be to take this opportunity to upgrade to IE 8 (confirmed by Microsoft not to be affected by this exploit). To assist in controlling which browsers are in use on your network, application control can help, letting you enforce a single, desired version of a browser with ease. The complete list of applications that can be controlled is listed here.