Zscaler Defends Against Zero Day Vulnerability in Internet Explorer 6/7

Zscaler, Inc., the market leader in cloud-delivered multi-tenant Security as a Service (SaaS), today announced that it has deployed protections to protect customers against a new zero-day threat that affects Internet Explorer 6 & 7. Zscaler was able to deploy initial protections shortly after exploit code was first released and continues to update the protections as additional details become available through the Microsoft Active Protections Program, which Zscaler participates in.

Microsoft has released a security advisory (Microsoft Security Advisory 977981), warning of the threat, which can be triggered by a malformed Cascading Style Sheet (CSS). In the advisory, Microsoft has stated that a patch is not yet available but that they are monitoring the situation closely. CVE-2009-3762 has been reserved for this issue.

“Internet Explorer, versions 6 & 7 account for approximately 41% of web browsers in use today, so this vulnerability will be an enticing one for attackers,” said Michael Sutton, vice president Security Research, Zscaler. “Attacks such as these are also prime candidates for targeting otherwise legitimate websites as an attack vector. The exploit can be triggered simply via HTML code, so attackers can inject code into websites with weak security protections.” According to Sutton, Zscaler is continually monitoring for exploitation leveraging this attack vector by actively monitoring the traffic of Zscaler customers.