Microsoft admits to zero-day vulnerability in IE

By Sooraj Shah
02 Jan 2013 View Comments
Internet Explorer

Microsoft has responded to public reports of a zero-day vulnerability in Internet Explorer (IE) 6, 7 and 8, suggesting temporary measures to help users to mitigate the issue.

The vulnerability could allow a remote attacker to hack into a Windows user's computer - but it does not affect IE 9 or 10 users.

Further reading

"The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft explained in a security advisory notice.

"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within IE. An attacker could host a specially crafted website that is designed to exploit this vulnerability through IE and then convince a user to view the website," it added.

According to several reports, the vulnerability came to light after hackers exploited Windows users who had visited the US Council of Foreign Relations (CFR), a foreign policy resource site.

But while Microsoft is aware of the type of attack, it has not yet issued an upgraded patch for IE to completely eradicate the problem, stating that it could provide one in its monthly security update process or an out-of-cycle security update.

"We currently see only very targeted attacks. And we're working around the clock on the full security update," said Microsoft engineers Cristian Craioveanu and Jonathan Ness in a blog.

In the meantime, the engineers suggest several workarounds to the issue, including the so-called "MSHTML Shim Workaround".

The firm also suggested that IE on Windows Server 2003, 2008 and 2008 R2 be run in restricted mode to eliminate the vulnerability; that Microsoft Outlook, Outlook Express and Windows Mail be configured to open HTML messages in a restricted site zone that disables script and Active X controls; and finally that users set their internet and local intranet security zone settings to high.

Microsoft also told customers to keep their anti-virus and anti-spyware software up to date and to upgrade from IE 6, 7 or 8 to IE 9 or 10.

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

55 %
17 %
6 %
19 %
3 %