New IE Zero-Day Being Exploited In the Wild

wiredmikey writes "A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named 'exploit.html' is the entry point of the attack ... According to analysis by VUPEN, the exploit takes advantage of a 'use-after-free vulnerability' that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems."

Getting fed up

[gravyface]

of shoddy browser security. Could this not be "solved" with proper sandboxing? If there's legacy code to support (this has been cited many times in the past for reasons why), please, please fork IE into two branches: IE Classic or whatever that's fully backwards compatible, and an IE Lite that's completely sandboxed and locked down for wide-spread corporate deployment.