The latest 0-day hole in Internet Explorer has been exploited by vulnerabilities in the Amnesty International web site. The hole itslef is related to flawed processing routines for parsing certain Cascading Style Sheet combinations in HTML documents. This allows attackers to manipulate certain pointers and execute injected code at the user’s privilege level.
The new attacks confirm observations of the exploit in commercial packages sold to criminals – which means attacks will probably soon become more frequent. Exploit packs fire on visitors to manipulated web sites from different directions to increase the success rate of infection attempts. In addition to the exploit for Internet Explorer, the AI site also contained modules for holes in QuickTime, Flash, and Shockwave.
So far, IE 6, 7 and 8 are vulnerable. No patch is available yet but Microsoft have indidated users should enable/use the DEP ( Data Execution Prevention ) feature in XP, Vista and 7 ( IE 8 has DEP enabled by default ).
