« previous article | next article in Technology »

Microsoft issues IE security warning

Workarounds for dealing with zero-day exploit

By John Fontana | Published: 06:28 GMT, 24 November 09 | CIO UK

Related Content

News

Features

Opinion and Debate

Microsoft has issued a security advisory that provides customers with guidance and workarounds for dealing with a zero-day exploit aimed at Internet Explorer.

The company said it was investigating the incident which emerged over the weekend when someone published the exploit code to the Bugtraq mailing list. However, yesterday, Microsoft switched gears and issued the advisory. There have not been any active exploits of the vulnerability reported so far.

Microsoft released Security Advisory 977981, which includes workarounds for an issue that exposes a flaw in Cascading Style Sheets that could allow for remote code execution. Vulnerabilities that allow remote-code execution generally result in patches rated as critical by Microsoft.

The advisory confirmed the vulnerability affects IE 6 on Windows 2000 Service Pack 4, and IE 6 and IE 7 on supported editions of XP, Vista, Windows Server 2003 and Windows Server 2008. Microsoft's said users running IE 7 on Vista can configure the browser to run in Protected Mode to limit the impact of the vulnerability. It also recommended setting the Internet zone security setting to "High" to protect against the exploit. The "High" setting will disable JavaScript, which currently is the only confirmed attack mode.

Microsoft said IE 5.01 Service Pack 4 and IE 8 on all supported versions of Windows are not affected.

Registration is free, and gives you full access to our extensive white paper library, case studies & analysis, downloads & speciality areas, and more.

For an attack to work, the hacker would first have to get his victim to visit a website that hosted the exploit code. This could be a malicious website set up by the hacker himself or it could be a site that allows users to upload content.

Another way cyber criminals have launched this type of attack, however, is by hacking into legitimate websites. Earlier this week, for example citizen's band radio vendor Cobra Electronics disclosed that it had been hacked in June, most likely by a professional hacker who had used the site to download malware to customers.

Microsoft did not say whether it would patch the flaw during its next regularly scheduled set of security updates, due 8 December.

(Robert McMillan of the IDG News Service contributed to this report.)

Email Updates

CIO Newsletters: Expert insight, advice and tools for technology, business, leadership and the CIO career.

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

CIO White Papers

Legal risks of uncontrolled email and web use

Exploring the challenges facing IT Mangers today and vital steps to ensure safe internet an email use by employees.

The challenge of strategic alignment

Recent research also shows that many organisations give too much prominence to internally generated KPIs – controlling the controllable – rather than looking outwards at threats and opportunities on the horizon which can ultimately be far more influential on performance.

Six essential steps to successful IT centralisation

This report, based on the real experience of a recent centralisation project, is aimed at those involved in IT strategy within their organisation. It provides some practical insights for CIOs, CTOs, Heads of IT, IT Directors and those involved more closely with the service management function.

Managing email: Exploring common email management challenges (and how to overcome them)

We surveyed 157 IT professionals to understand the difficulties and opportunities faced by email managers. From this we were able to highlight some easy-to-manange solutions to their most pressing problems.

CIO UK - Business - Technology - Leadership

Differentiate your company with complete CRM

Focused on productivity and empowerment and leveraging the natural rhythms people work
What defines Complete CRM? How businesses can better engage customers and users, manage customer transactions, and analyse results to adapt and take advantage of changing business and economic circumstances.

DOWNLOAD

Oracle White Paper

IT Misuse Survey

Complete this survey and you could win a Nexus One.

CIO are running a short survey to discover how UK businesses are managing internet and email misuse in the Enterprise.

COMPLETE SURVEY

Virtualisation - The 'black hole' of security?

Covering the set of issues, ideas and perceptions discussed during a recently held debate about the effect of virtualisation techniques on organisational security. This paper provides a comprehensive account of all the subject matters debated and concludes with key takeaways and IDC recommended actions.

DOWNLOAD

Trend Micro

* *