Microsoft Security Advisory For Internet Explorer, Fix Inside

Martin Brinkmann
Nov 4, 2010
Updated • Apr 22, 2012
Internet Explorer, Security

Vulnerabilities have moved into the focus of many Internet users. This time it is a new 0-day vulnerability for Microsoft's Internet Explorer that could allow remote code execution on the target system. The critical vulnerability affects all versions of the browser from Internet Explorer 6 to 8, but mitigating factors exist that protect the system or reduce the impact of the vulnerability.

The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Mitigating Factors

  • Data Execution Prevention (DEP) in Internet Explorer 8 on Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7.
  • Protected Mode in Internet Explorer on Vista and Windows 7 limits the impact of the vulnerability
  • The user has to visit a web page in a web based attack scenario to exploit the vulnerability. Typically, users need to click on a link to visit those websites. If they pay special attention to the sites they visit they can reduce the risk.
  • Microsoft Outlook, Outlook Express and Windows Live are not vulnerable to the attack if they are configured to open HTML email messages in the restricted zone. This is the default setting.

Internet Explorer users can block the attack fully by blocking the execution of ActiveX controls and Active Scripting in the preferences.

Microsoft furthermore has released a Fix It solution to protect computer systems from these attacks. The first Fix it solution overrides a website's cascading style sheets style by using a custom CSS for formatting documents.

The second Fix it solution applies only to Internet Explorer 7. It enables or disables DEP in the web browser. Both Fix It solutions are available directly from Microsoft. The original security advisory is available here.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. caschy said on November 4, 2010 at 12:02 pm

    Coole Formatierung ;)

    1. Martin said on November 4, 2010 at 12:16 pm

      diese verdammten tags ;)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.