14 DAY TRIAL // Internet Explorer 7 immaculate record is on its way down the drain. Concomitantly with the release of the February 2007 Security Bulletins, Microsoft has also made available patches for vulnerabilities scarring the latest version of its browser.
Two privately reported vulnerabilities related to COM Object Instantiation Memory Corruption affect a range of Microsoft browsers including Internet Explorer 5.01, 6, and 7. Only the issues impacting Versions 5 and 6 of Internet Explorer are considered Critical.
"A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system," informed Microsoft.
However, Microsoft has informed that only IE7 for Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 are affected. The IE7 that ships with Windows Vista is in no way impacted by the vulnerabilities. Microsoft has released a cumulative security update for Internet Explorer.
"Included in this release are 'Important' security updates for Internet Explorer 7 for Windows XP SP2 and Windows Server 2003 SP1 that disable specific COM objects not intended to be instantiated in Internet Explorer. While these vulnerabilities are considered 'Critical' in IE5 and IE6, the objects are blocked by the ActiveX Opt-in feature in IE7, preventing attacks that use non-approved controls from running an exploit. Since some users may turn off ActiveX Opt-in or mistakenly permit the objects to load without prompt, this update disables loading these objects to provide further defense-in-depth. IE7 in Windows Vista already disables these objects and is not affected by this update," revealed Geoffrey Silva, IE Program Manager.