David Baxter PhD
Late Founder
Microsoft Acknowledges IE7 Flaw
by Dennis Fisher
November 24, 2009
Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.
The company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS's X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.
In its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company's newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.
"At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," Microsoft said in its advisory.
The next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for "Enable memory protection to help mitigate online attacks."
Microsoft also has published a FixIt tool that will automatically enable DEP:
"We have also created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer. You do not need this database if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions. This is because Internet Explorer 8 opts-in to DEP by default on these platforms."
by Dennis Fisher
November 24, 2009
Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.
The company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS's X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.
In its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company's newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.
"At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," Microsoft said in its advisory.
The next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for "Enable memory protection to help mitigate online attacks."
Microsoft also has published a FixIt tool that will automatically enable DEP:
"We have also created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer. You do not need this database if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions. This is because Internet Explorer 8 opts-in to DEP by default on these platforms."
