Slashdot Mirror
New IE Zero Day
RebootKid writes "Microsoft has released a notice about
a new zero day attack against Internet Explorer. Guess it's going to be more a 'Script Kiddie Christmas,' less of a 'White Christmas.' 'Ok, fess up — who asked for an IE 0 day for Christmas? I'm guessing Santa got his lumps of coal mixed up with a bag of exploits. This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE). Microsoft has put out an advisory 2488013 regarding the issue which manifests itself when a specially crafted web page is used and could result in remote code execution on the client.'"
Well the (+1 score) is that they have called for using the “The Enhanced Mitigation Experience Toolkit” (EMET) tool to mitigate the problem. The bigger question is why is EMET not a part of the OS proper? If the EMET tool is capable of solving this problem then why the &83$$@# didn't they force an install of EMET to solve all the Adobe issues? Why are they NOT stepping forward to fix all the third party application security issues?
What security features can you add with EMET?
Dynamic Data Execution Prevention (DEP)
Structure Exception Handler Overwrite Protection (SEHOP)
Heap Spray Allocation
Null Page Allocation
Export Address Table Access Filtering
Mandatory Address Space Layout Randomization (ASLR)
Now I have several questions, like why is this not part of the OS? Why is it not a default where these can be turned off on a case by case basis? Have untrusted browser plugins? And why isn't Flash/acrobat/shockwave forced to run under it? Admittedly Acrobat-X (sandboxed version of Acrobat) is a step in the right direction, but wouldn't it be better to have all applications turned on by default?
The Enhanced Mitigation Experience Toolkit 2.0 is Now Available
http://tinyurl.com/28znulg