News

Microsoft Warns of IE 6 and IE 7 Bug

A new zero-day Internet Explorer bug awaits IT pros returning from the holiday break.

Just before Thanksgiving Day, Microsoft released a security advisory on a vulnerability affecting IE 6 and IE 7 browsers, based on "new public reports." Browser versions that aren't affected include IE 8 and IE 5.01 Service Pack 4, according to Microsoft.

Microsoft is continuing to investigate the bug, which allows an attack based on the deletion of a cascading style sheet (CSS) object. The security bulletin indicated that IE 6 SP1 on Windows 2000 SP4 may be affected. Other affected browsers may include IE 6 and IE 7 on Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.

Microsoft's security advisory explained that hackers can potentially run malicious code after a CSS object gets deleted.

"It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted," the bulletin stated. "In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code."

The bulletin adds that users still have to be diverted to a malicious Web page in order for the attack to occur.

IT pros need to have preventive measures in place, both for this bug and in general, according to Paul Henry, security and forensic analyst at Lumension.

"The latest Internet Explorer zero-day threat will unfortunately catch many off guard and will have a significant impact on many organizations that are still relying on outdated defenses," Henry said. "Vendor software vulnerabilities are not going away and zero-day threats will continue to plague even those organizations that have the best of the best in flaw remediation plans in place."

The security advisory offered a few workarounds for the issue until the vulnerability is patched. The workarounds involve changing IE's security zone settings, configuring active scripting settings in IE and turning on data execution prevention in the browser.

Microsoft explained that protected mode, available in IE 7 running on Windows Vista, "limits the impact of the vulnerability." Also, there is some protection for those running IE on Windows Server 2003 and Windows Server 2008. By default, those operating systems use Microsoft's enhanced security configuration, which sets IE's Internet zone security level to "high."

To date, there's no word on when a patch will arrive, which could appear with Microsoft's monthly patch release or in an out-of-band fix.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube