ARN

Microsoft issues security advisory on IE vulnerability

Exploit code released over weekend for browser attack

Microsoft Monday night issued a security advisory that provides customers with guidance and workarounds for dealing with a zero-day exploit aimed at Internet Explorer.

Earlier in the day, the company said it was investigating the incident which emerged over the weekend when someone published the exploit code to the Bugtraq mailing list. By Monday night, Microsoft switched gears and issued the advisory. There have not been any active exploits of the vulnerability reported so far.

Microsoft released Security Advisory 977981, which includes workarounds for an issue that exposes a flaw in Cascading Style Sheets that could allow for remote code execution. Vulnerabilities that allow remote-code execution generally result in patches rated as critical by Microsoft.

Microsoft's Security Response Center posted a blog entry Tuesday night saying it was working on a patch: "Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band."

The advisory confirmed the vulnerability affects IE 6 on Windows 2000 Service Pack 4, and IE 6 and IE 7 on supported editions of XP, Vista, Windows Server 2003 and Windows Server 2008. Microsoft’s said users running IE 7 on Vista can configure the browser to run in Protected Mode to limit the impact of the vulnerability. It also recommended setting the Internet zone security setting to “High” to protect against the exploit. The “High” setting will disable JavaScript, which currently is the only confirmed attack mode.

Microsoft said IE 5.01 Service Pack 4 and IE 8 on all supported versions of Windows are not affected.

For an attack to work, the hacker would first have to get his victim to visit a Web site that hosted the exploit code. This could be a malicious Web site set up by the hacker himself or it could be a site that allows users to upload content.

Another way cyber criminals have launched this type of attack, however, is by hacking into legitimate Web sites. Earlier this week, for example citizen's band radio vendor Cobra Electronics disclosed that it had been hacked in June, most likely by a professional hacker who had used the site to download malware to customers.

Microsoft did not say whether it would patch the flaw during its next regularly scheduled set of security updates, due Dec. 8.

(Robert McMillan of the IDG News Service contributed to this report.)

Come socialise with us! Facebook | LinkedIn

More about: Cobra Electronics, Microsoft
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the ARN comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Windows Vista, Windows, Microsoft
ARN Directory | Distributors relevant to this article
ASI Solutions , Bluechip Infotech , Compucon Computers , Dicker Data , Express Data , Express Online , Impact Systems Technology , Ingram Micro Australia , Leader Computers , Leading Pacific Australia , NewLease , Simms International (For Simms International please see Express Online) , Synnex Australia , Topstar Computer International , Westan , XiT Distribution , Xpress I.T.
rhs_login_lockGet exclusive access to ARN's news, research and invitation only events.
ARN Distributor Directory
Find distributors by name | vendor | location
Channel Deals
/deals/synnex/425_lenovo-february-and-march-hot-deal-3
Synnex

Lenovo February and March Hot Deal 3

More details »
ARN Vendor Directory
Find vendors by name | category

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.