Microsoft Security Advisory For Internet Explorer, Fix Inside - gHacks Tech News

Microsoft Security Advisory For Internet Explorer, Fix Inside

Vulnerabilities have moved into the focus of many Internet users. This time it is a new 0-day vulnerability for Microsoft's Internet Explorer that could allow remote code execution on the target system. The critical vulnerability affects all versions of the browser from Internet Explorer 6 to 8, but mitigating factors exist that protect the system or reduce the impact of the vulnerability.

The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Mitigating Factors

  • Data Execution Prevention (DEP) in Internet Explorer 8 on Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7.
  • Protected Mode in Internet Explorer on Vista and Windows 7 limits the impact of the vulnerability
  • The user has to visit a web page in a web based attack scenario to exploit the vulnerability. Typically, users need to click on a link to visit those websites. If they pay special attention to the sites they visit they can reduce the risk.
  • Microsoft Outlook, Outlook Express and Windows Live are not vulnerable to the attack if they are configured to open HTML email messages in the restricted zone. This is the default setting.

Internet Explorer users can block the attack fully by blocking the execution of ActiveX controls and Active Scripting in the preferences.

Microsoft furthermore has released a Fix It solution to protect computer systems from these attacks. The first Fix it solution overrides a website's cascading style sheets style by using a custom CSS for formatting documents.

The second Fix it solution applies only to Internet Explorer 7. It enables or disables DEP in the web browser. Both Fix It solutions are available directly from Microsoft. The original security advisory is available here.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. caschy said on November 4, 2010 at 12:02 pm
    Reply

    Coole Formatierung ;)

    1. Martin said on November 4, 2010 at 12:16 pm
      Reply

      diese verdammten tags ;)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.