News

Microsoft Issues Workaround for IE 6 and 7 Flaw

Microsoft published a workaround for an in-the-wild vulnerability in Internet Explorer 6 and 7, described last week.

The vulnerability, which doesn't affect IE 8, was first disclosed in a March 9 security advisory, which suggested that the bug could enable remote code execution-type exploits. Microsoft is considering releasing an out-of-band fix. On Friday, the company added a workaround to the advisory.

According to Redmond, IT administrators can leverage the workaround by "disabling the peer factory class through the modification of a registry key." To simplify matters, Microsoft pointed IT administrators to a Microsoft Fix It link that the company says will automate the workaround for Windows XP and Windows Server 2003 customers.

In an e-mailed statement, Microsoft Security Response Center spokesman Jerry Bryant said that his group is "working hard to produce an update which is currently in the testing phase."

Microsoft's continued testing of the vulnerability is "a critical and time-intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows," Bryant said.

He also warned that customers should test the workaround "thoroughly before deploying as certain functionality that depends on the peer factory class...may be affected." Such functions include printing a document from a Web page using IE or saving a Web page file during an IE session. Those two functions in particular, according to Bryant, may be affected by the installation of the workaround.

Andrew Storms, director of security at nCircle, believes that much like the IE zero-day bug in January, which received a lot of press because of its involvement in the "Aurora" exploit that hit Google, this bug will get what he called swift "mitigation assistance."

"The good news is that, at this time, IE 8 is not affected," Storms said. "There's no doubt that this new bug will be fodder for the ongoing security discussion that is a key part of the browser wars."

Bryant didn't specify if or when Microsoft's investigation might yield an out-of-band update. "We never rule out the possibility of an out-of-band update," he said regarding this IE bug.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube