Microsoft released a security advisory about a new 0-day vulnerability in all current versions of the company’s Internet Explorer – except for the not yet final Internet Explorer 9. The vulnerability exists within the processing of so-called cascading style sheets (CSS) for defining the layout of a website and allows for remote code execution. This means, by steering unsuspecting users to manipulated websites for example via emails, attackers can infect the users’ PCs with malware like Trojans.
A patch is not yet available and Microsoft doesn’t announce when it plans to ready one. But the advisory lists some workarounds to mitigate possible attacks: Enable data execution prevention (DEP), use own/custom CSS, using the EMET toolkit and setting the local and Internet zone settings in IE to “high” to block execution of ActiveX controls and Active Scripting. Later today, Microsoft plans to release a Fix-it tool to ease the task of securing the Internet Explorer.
This vulnerability is already exploited in a limited fashion. Avira anti malware solutions detect the exploits as EXP/CVE-2010-3962 and thus protect the users.