Microsoft Security Advisory For Internet Explorer, Fix Inside

Martin Brinkmann
Nov 4, 2010
Updated • Apr 22, 2012
Internet Explorer, Security
|
3

Vulnerabilities have moved into the focus of many Internet users. This time it is a new 0-day vulnerability for Microsoft's Internet Explorer that could allow remote code execution on the target system. The critical vulnerability affects all versions of the browser from Internet Explorer 6 to 8, but mitigating factors exist that protect the system or reduce the impact of the vulnerability.

The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Mitigating Factors

  • Data Execution Prevention (DEP) in Internet Explorer 8 on Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7.
  • Protected Mode in Internet Explorer on Vista and Windows 7 limits the impact of the vulnerability
  • The user has to visit a web page in a web based attack scenario to exploit the vulnerability. Typically, users need to click on a link to visit those websites. If they pay special attention to the sites they visit they can reduce the risk.
  • Microsoft Outlook, Outlook Express and Windows Live are not vulnerable to the attack if they are configured to open HTML email messages in the restricted zone. This is the default setting.

Internet Explorer users can block the attack fully by blocking the execution of ActiveX controls and Active Scripting in the preferences.

Microsoft furthermore has released a Fix It solution to protect computer systems from these attacks. The first Fix it solution overrides a website's cascading style sheets style by using a custom CSS for formatting documents.

The second Fix it solution applies only to Internet Explorer 7. It enables or disables DEP in the web browser. Both Fix It solutions are available directly from Microsoft. The original security advisory is available here.

Advertisement

Related content

microsoft

Internet Explorer 11 is still not dead and will live another day
internet explorer to edge redirect

Last Call: Internet Explorer 11 to be Disabled Forever tomorrow
internet explorer to edge redirect

Internet Explorer will be disabled through a Microsoft Edge update in February 2023
internet explorer 11 disabled

Still using Internet Explorer 11 on Windows 10? It will be disabled in February 2023
internet explorer to edge redirect

Microsoft explains how it is retiring Internet Explorer
internet explorer to edge redirect

Microsoft: please stop using Internet Explorer before it runs out of support next month

Tutorials & Tips

How to verify link targets before you click on links

Open Pinned Sites In The Default Windows Browser

Why Websites Never Need Your Password


Previous Post: «
Next Post: «

Comments

  1. caschy said on November 4, 2010 at 12:02 pm
    Reply

    Coole Formatierung ;)

    1. Martin said on November 4, 2010 at 12:16 pm
      Reply

      diese verdammten tags ;)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.

Advertisement

Spread the Word

Advertisement

Hot Discussions

Advertisement

Recently Updated

Latest from Softonic

Advertisement

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

The name and logo of Ghacks are copyrights or trademarks of SOFTONIC INTERNATIONAL S.A.
Copyright SOFTONIC INTERNATIONAL S.A. © 2005- 2024 - All rights reserved