There are reports that targeted attacks are exploiting a vulnerability in Internet Explorer. A specially crafted HTML document allows a remote attacker to execute arbitrary code. This vulnerability exists in Internet Explorer 6,7 and 8, but Data Execution Protection (DEP) appears to provide protection to users of versions 7 and 8. This leaves users of Internet Explorer 6 particularly exposed.

Whilst we are not aware of this vulnerability being widely used, the targeted nature of this attack may see it being used against particular sites. An update is not yet available, but Microsoft have released advice that may mitigate an attack. More details are available at:

http://www.kb.cert.org/vuls/id/492515
http://www.microsoft.com/technet/security/advisory/979352.mspx
http://support.microsoft.com/kb/979352

Microsoft yesterday announced that they plan to release an update for this issue outside of their normal patch scedule.

If your not doing it already, there is yet another good reason why blocking TCP port 445 is a good idea. A new exploit ( http://seclists.org/fulldisclosure/2009/Sep/0039.html ) has been made public which has been reported as causing a crash on Windows Server 2008 but we have not verified this, but we have tested it as affecting both Vista and Windows 7. In most cases the system will restart after the crash causing a DOS attack.

Other reports ( http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=64&Itemid=15 ) suggest that this causes more than a crash and it results in remote code execution, which if true usually lead to new forms of malware spreading very rapidly.

TCP port 445 is commonly used for Windows shares which is generally not required over the Internet, and is frequently utilised for spreading malware. A recent notable case being Conficker which would scan for and infect vulnerable systems on this port. There is no patch for this latest vulnerability and the only way to prevent remote attackers causing this exploit is to prevent them from accessing your systems on TCP port 445, this is usually done on firewalls.