News

Microsoft Issues Workaround for IE 6 and 7 Flaw

Microsoft published a workaround for an in-the-wild vulnerability in Internet Explorer 6 and 7, described last week.

The vulnerability, which doesn't affect IE 8, was first disclosed in a March 9 security advisory, which suggested that the bug could enable remote code execution-type exploits. Microsoft is considering releasing an out-of-band fix. On Friday, the company added a workaround to the advisory.

According to Redmond, IT administrators can leverage the workaround by "disabling the peer factory class through the modification of a registry key." To simplify matters, Microsoft pointed IT administrators to a Microsoft Fix It link that the company says will automate the workaround for Windows XP and Windows Server 2003 customers.

In an e-mailed statement, Microsoft Security Response Center spokesman Jerry Bryant said that his group is "working hard to produce an update which is currently in the testing phase."

Microsoft's continued testing of the vulnerability is "a critical and time-intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows," Bryant said.

He also warned that customers should test the workaround "thoroughly before deploying as certain functionality that depends on the peer factory class...may be affected." Such functions include printing a document from a Web page using IE or saving a Web page file during an IE session. Those two functions in particular, according to Bryant, may be affected by the installation of the workaround.

Andrew Storms, director of security at nCircle, believes that much like the IE zero-day bug in January, which received a lot of press because of its involvement in the "Aurora" exploit that hit Google, this bug will get what he called swift "mitigation assistance."

"The good news is that, at this time, IE 8 is not affected," Storms said. "There's no doubt that this new bug will be fodder for the ongoing security discussion that is a key part of the browser wars."

Bryant didn't specify if or when Microsoft's investigation might yield an out-of-band update. "We never rule out the possibility of an out-of-band update," he said regarding this IE bug.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Full Stack Hands-On Development with .NET

    In the fast-paced realm of modern software development, proficiency across a full stack of technologies is not just beneficial, it's essential. Microsoft has an entire stack of open source development components in its .NET platform (formerly known as .NET Core) that can be used to build an end-to-end set of applications.

  • .NET-Centric Uno Platform Debuts 'Single Project' for 9 Targets

    "We've reduced the complexity of project files and eliminated the need for explicit NuGet package references, separate project libraries, or 'shared' projects."

  • Creating Reactive Applications in .NET

    In modern applications, data is being retrieved in asynchronous, real-time streams, as traditional pull requests where the clients asks for data from the server are becoming a thing of the past.

  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

Most   Popular

Subscribe on YouTube