14 DAY TRIAL // Microsoft recommends that users of older releases of its browser upgrade to Internet Explorer 8 in order to leverage the version’s advanced security features and mitigations and be better protected against exploits targeting a new 0-day security vulnerability in IE. In addition, the Redmond company notes that users should make sure to be running Windows 7, or at least Windows Vista Service Pack 2 or Windows XP SP3. According to the software giant, no attacks or proof-of-concept code were identified targeting IE8 running on top of the platforms enumerated above.
At the same time, all versions of Internet Explorer, including IE6, IE7 and IE8 contain a Critical zero-day vulnerability as an invalid pointer reference within the browser. In the eventuality of a successful exploit, an attacker could take over the victim’s computer, Microsoft warned. Security Advisory (979352) offers extensive details about the vulnerability, along with the measures and workarounds customers running IE can turn to in order to protect their systems until a patch will be released. The Redmond company is currently hard at work producing a security update which will only be served to customers once sufficient testing recommends it for release.
As of the start of this week, “we have not seen any successful attacks against Internet Explorer 7. However, earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista. We are actively investigating, but cannot confirm, these claims,” revealed Bryant, Microsoft security program manager.
In the latest update offered by Microsoft on January 18th, 2010, the company notes that attacks “remain targeted to a very limited number of corporations and are only effective against Internet Explorer 6. We have not seen successful attacks on Internet Explorer 8. We continue to recommend customers upgrade to Internet Explorer 8 to benefit from the improved security protection it offers,” Bryant stated.
The new 0-day IE security hole was used in the attacks against Google and additional US companies originating from China. These original attacks were limited and targeted. But security outfit Websense now revealed that it also detected exploits in the wild taking advantage of the IE zero-day. The exploit code for the vulnerability was put together from proof-of-concept code published in the wild and made available in the Metasploit open-source penetration testing framework.
While Microsoft is advising customers to upgrade to IE8 and leverage security mitigations such as Protect Mode in combination with user Account Control and DEP to render attacks useless, the governments of Germany and France are advising IE users to turn to alternative browsers altogether. While believing to be responsively offering advice on how IE customers should protect themselves, governmental representatives in Germany and France have acted irresponsibly, and provided advice which is essentially utterly useless at anything else but creating panic. The truth is that customers still running IE6, especially corporations, are doing so for a reason, and while they can easily deploy the mitigations in Security Advisory (979352), they cannot simply have thousands of users running another browser than IE, before a patch will be provided by Microsoft.
Internet Explorer 8 is available for download here.