News

Microsoft Offers IE Security Workaround, But No Fix

A zero-day flaw in Internet Explorer 7 reported last week has sparked increased hacker activity, and now the attacks involve most versions of Microsoft's Internet browser.

A zero-day flaw in Internet Explorer 7 reported last week has sparked increased hacker activity, and now the attacks involve most versions of Microsoft's Internet browser. Still, Microsoft does not plan to issue a fix for the exploit until sometime next year.

The attack code originated on Chinese servers and initially only affected IE7, but it emerged that IE5.01, IE6, IE7 and IE8 Beta 2, have also been exploited.

On Monday, Redmond continued to investigate what it called "huge increases" in attacks exploiting the "critical" vulnerability in Internet Explorer. A blog post on Saturday explained that some of the attacks originated from compromised porn sites.

Microsoft is stressing that avoiding questionable Web destinations may not be an adequate defense in itself.

"This class of attack, along with other more classical forms of website intrusion, mean[s] that even trusted sites can end up serving malicious content, causing you[r computer] to get infected. Other researchers confirmed that attacks were increasingly coming from compromised Web sites," the blog said.

Research by other companies confirmed an uptick in incursions using IE as the vector. Antivirus software maker Trend Micro Inc. issued a statement on Monday indicating that as many as 10,000 sites have been compromised by this IE browser flaw over a week's time.

In response, Microsoft added a third addendum to its security advisory over the weekend. The addendum lists possible workarounds and solutions to serve as stopgap measures until a comprehensive IE fix for this exploit becomes available in 2009.

The attacks come as Redmond fights for increased browser market share. A recent survey found that IE8 was the safest, but least popular, Web browser in a beta comparison with Mozilla Firefox and Google Chrome.

Users should turn to other browsers besides IE until this problem can be fixed, according to Wolfgang Kandek, chief technology officer of security firm Qualys. However, Kandek contends that no browser is safe unless patched in real time or patched frequently, a technique known as "fast patching."

"Recent research has shown that Firefox fast patching offers significant advantages over IE, Opera and others," he said. "Opera has added fast patching in their newest release and Google Chrome has had it from the get-go."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

  • Vibe Coding with Latest Visual Studio Preview

    Microsoft's latest Visual Studio preview facilitates "vibe coding," where developers mainly use GitHub Copilot AI to do all the programming in accordance with spoken or typed instructions.

  • Steve Sanderson Previews AI App Dev: Small Models, Agents and a Blazor Voice Assistant

    Blazor creator Steve Sanderson presented a keynote at the recent NDC London 2025 conference where he previewed the future of .NET application development with smaller AI models and autonomous agents, along with showcasing a new Blazor voice assistant project demonstrating cutting-edge functionality.

Subscribe on YouTube