MICROSOFT had publicly disclosed more information about the zero-day exploit (and ways to block it) following its security advisory on Internet Explorer 6 vulnerability.
"The vulnerability is present in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. All versions may crash after opening the attack code. However, there are a number of ways to limit the attack to an IE crash and prevent attacker code execution," he added.
I think this vulnerability is the same as the one used by attackers to launch zero day attacks that hit several web sites worldwide including the PRC website. In our previous post, we discussed about zero-day (or zero-hour) attack. Such term sounds scary but don't worry about the attack, Microsoft already provided ways to block code execution, as follows:
- Enable DEP. Data Execution Prevention or DEP prevents the execution of code from pages of memory that are not explicitly marked as executable. This is very useful especially if you've been sent a code hidden in .gif or .au files among other risks.
If you're too lazy to do it, just use the Microsoft Fix It tool to enable DEP in Windows XP and Vista. Windows 7 need not do it, DEP is enabled by default in this latest OS.
That's it. This is very important; don't take it for granted. I know there's still a fraction of users on IE even though this area of interest is dominated by rival browser Firefox based on data from users accessing this site.