Published in News

Microsoft warns of IE zero day vulnerablity

by on24 November 2009

Image

Workarounds for now


Software
giant Microsoft has issued a security advisory that provides customers with guidance and workarounds for dealing with a zero-day exploit aimed at Internet Explorer. Over the weekend someone published the exploit code to the Bugtraq mailing list and while no active exploits of the vulnerability have been reported so far, it appears Microsoft is taking no chances.

Microsoft released Security Advisory 977981, which includes workarounds for an issue that exposes a flaw in Cascading Style Sheets that could allow for remote code execution. Vulnerabilities that allow remote-code execution generally result in patches rated as critical by Microsoft. The vulnerability affects IE 6 on Windows 2000 Service Pack 4, and IE 6 and IE 7 on supported editions of XP, Vista, Windows Server 2003 and Windows Server 2008.

The work around involves configures the browser to run in Protected Mode to limit the impact of the vulnerability. It also recommended setting the Internet zone security setting to "High" to protect against the exploit. The "High" setting will disable JavaScript, which currently is the only confirmed attack mode.Microsoft said IE 5.01 Service Pack 4 and IE 8 on all supported versions of Windows are not affected.

For an attack to work, the hacker would first have to get his victim to visit a Web site that hosted the exploit code. This could be a malicious Web site set up by the hacker himself or it could be a site that allows users to upload content.


Rate this item
(0 votes)