Vupen French security company, said they found the IE browser’s HTML rendering engine in the existence of a 0day vulnerability, if exploited, an attacker can remotely bypass the patch played a full system, Windows 7 and Vista security measures on the system to run malicious code.Microsoft later said it is investigating this.

Microsoft is still under investigation in time, Vupen open the system to exploit the vulnerability to bypass security measures, attack code , IE6, IE7 and IE8 are not immune. IE flaw with previous exposure is different from the the 0day vulnerabilities can be used in most versions of Windows and IE to execute malicious code, including a complete patch Windows 7 on IE8.

An attacker could exploit the vulnerability and related technologies to bypass the security features of two Windows: DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), this problem is caused by “mshtml.dll” dynamic link library file a ” use-after-free “error caused. When dealing with a contain a variety of “@ import“rule of reference CSS (Cascading Style Sheets) file Web page, when this error to allow a remote attacker via a specially crafted web page to execute arbitrary code.

Microsoft is still under investigation, this month’s security patches have already been released last week, Microsoft may be in January next year’s patch fixes the vulnerability, if the situation was serious, Microsoft may also be unusual for this patch release.