Users of Blink client security are already protected and Retina has been updated with an audit to help detect and prevent without incident or update

(Irvine, CA) December 12, 2008 — eEye Digital Security (www.eeye.com), an expert in integrated security and threat-management solutions, today announced that they offer protection from a vulnerability that exists within the Internet Explorer 7 browser that allows an attacker to execute arbitrary code on a victim’s host if they visit a malicious website. Exploit code for this has been publicly released in public forums and exploitation has been seen in-the-wild.

“Internet Explorer remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be across any site on the Internet,” said Andre Protas, eEye’s Director of Research and Preview Services. “An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.”

Disclosed on 12/9/08, the common name for this critical severity-level exploit is known as the Microsoft Internet Explorer 7 XML Zero-Day. The patch release date is still unknown from Microsoft, but it has a high likelihood of an out-of-band patch, an uncommon but important part of Microsoft’s patching process.

Affected applications include:
IE7 on Windows XP
IE7 on Windows Server 2003
IE7 on Windows Vista (Not Currently Targeted)

Said Protas, “The good news is that eEye’s Blink Client Security protected systems from this vulnerability without the need for an update. Pure zero-day protection -- this is what matters most to administrators. eEye Retina was updated with an audit to help detect systems that have Internet Explorer 7 set as the default browser.”

In addition, eEye’s Preview Services delivered advanced security intelligence on the IE7 vulnerability to its customers including fully-functional exploits for testing; a twelve-page document about the vulnerability, and full details on the attackers that identified and helped distribute the vulnerability details.

For information regarding the potential risks and remediation requirements of Microsoft Patch Tuesday’s and related announcements, eEye offers a monthly Vulnerability Expert Forum webinar the Wednesday following Patch Tuesday which provides valuable insight regarding new vulnerabilities that are discovered and the actions that need to be taken as a result. (Patch Tuesdays are released the second Tuesday of the month)

About eEye Digital Security

eEye Digital Security is the global leader in a new class of security solutions: comprehensive vulnerability management and zero-day endpoint security protection. eEye enables secure computing through world-renowned research and innovative technology, supplying the world's largest businesses with an integrated and research-driven vulnerability assessment, intrusion prevention, and client security solution. eEye's research team is consistently the first to identify new threats in the wild and our products leverage that research to deliver the insights and tools necessary to protect our customer's operating environments. For more information, please visit http://www.eeye.com

Primary Press Contact

Victor Cruz
MediaPR
(401) 349-3369 vcruz@mediapr.net

EMEA Press Contact

Ralph Klöwer
INTERFACE Relations
+49 (0) 89-552 688-66 r.kloewer@interface.pr.de