Microsoft warns of IE zero day vulnerablity

kemical

Windows Forum Admin
Staff member
Premium Supporter
Microsoft MVP
#1
Microsoft warns of IE zero day vulnerablity
Written by Nick Farrell Tuesday, 24 November 2009 10:04


Workarounds for now

Software giant Microsoft has issued a security advisory that provides customers with guidance and workarounds for dealing with a zero-day exploit aimed at Internet Explorer. Over the weekend someone published the exploit code to the Bugtraq mailing list and while no active exploits of the vulnerability have been reported so far, it appears Microsoft is taking no chances.

Microsoft released Security Advisory 977981, which includes workarounds for an issue that exposes a flaw in Cascading Style Sheets that could allow for remote code execution. Vulnerabilities that allow remote-code execution generally result in patches rated as critical by Microsoft. The vulnerability affects IE 6 on Windows 2000 Service Pack 4, and IE 6 and IE 7 on supported editions of XP, Vista, Windows Server 2003 and Windows Server 2008.

The work around involves configures the browser to run in Protected Mode to limit the impact of the vulnerability. It also recommended setting the Internet zone security setting to "High" to protect against the exploit. The "High" setting will disable JavaScript, which currently is the only confirmed attack mode.Microsoft said IE 5.01 Service Pack 4 and IE 8 on all supported versions of Windows are not affected.

For an attack to work, the hacker would first have to get his victim to visit a Web site that hosted the exploit code. This could be a malicious Web site set up by the hacker himself or it could be a site that allows users to upload content.

Fudzilla - Microsoft warns of IE zero day vulnerablity
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.