Nov 4, 2010 09:48 GMT  ·  By

Microsoft has moved extremely fast after public reports of a new Critical zero-day vulnerability affecting Internet Explorer emerged, and the company is already offering multiple fixes for the security flaw.

On November 2nd, 2010 Microsoft confirmed a security hole impacting Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 which could allow attackers to perform remote code execution in the eventuality of a successful attack.

“The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution,” the software giant explained.

A Microsoft spokeswoman that contacted me explained that the actual impact of the new IE 0-day is quite limited and that the company is not aware of any affected customers.

Still, exploits of the vulnerability were detected in the wild, but they were part of limited and targeted attacks.

“The exploit code was discovered on a single website which is no longer hosting the malicious code. When a website is discovered to host malicious software, we work through legal channels to take the site down.

“These kinds of attempts to exploit systems and the people using technology are the activity of criminals. Microsoft takes this very seriously and where possible, we will take legal action against those responsible,” explained Jerry Bryant, Group Manager, Response Communications Trustworthy Computing Group.

Microsoft Security Advisory (2458511) has been published and is designed to offer customers additional information on this vulnerability, as well as provide them with details of mitigations that can be set up in order to render any attacks useless.

As usual, customers that rely on the security enhancements in Internet Explorer and Windows, enjoy added protection against exploits.

Users with Data Execution Prevention (DEP), User Account Control (UAC) and Protect Mode enabled are less exposed to this threat, the software giant explained.

At the same time, Microsoft published KB 2458511 which contains two fixes for this flaw. Customers must understand that the fixes are temporary solutions and not actual patches.

“Fix it solution for the user-defined CSS - A fixit is available that enables supported versions of Internet Explorer to override a website's cascading style sheets by using a custom CSS for formatting documents.

Another excellent solution for customers, especially end users, looking to protect themselves against attacks targeting this vulnerability, is to make the jump to Internet Explorer 9.

IE9 Beta is not affected by the new IE 0-day vulnerability, Microsoft explained, and is a broad, high-quality Beta which can be used in production environments.

Internet Explorer 9 Beta users are not affected by this issue and any customers who wish to upgrade their browser to this version can do so freely at www.microsoft.com/ie. Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue.

“This is due to the defense in depth protections offered from Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms,” Bryant added.

Internet Explorer 9 (IE9) Beta is available for download here.

Internet Explorer 9 (IE9) Platform Preview 6 (PP6) is available for download here.