14 DAY TRIAL // Customers already running the latest iteration of the Windows client, Windows 7, along with the Internet Explorer 8 are safe from potential exploits targeting a zero-day vulnerability in older releases of Internet Explorer, according to Microsoft. In an email message to Softpedia, Alan Wallace, security response communications, Microsoft, explains that only pre-IE8 versions of Microsoft’s proprietary browser are affected, but with the exception of Internet Explorer 5.01 Service Pack 4. The Redmond company has also published a security advisory detailing the latest IE vulnerability for which details have been already published in the wild.
“The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code,” Microsoft explained.
Most importantly, the security advisory in question describes the measures that customers can take in order to protect themselves against attacks. Of course, a simple thing that users can do to ensure that no attacker will be able to exploit the new zero-day vulnerability on their machine is to upgrade to the latest version of Internet Explorer, namely IE8.
However, for those customers that for any given reason cannot upgrade to IE8, Microsoft details a range of alternative workarounds under the Suggested Actions area of the security advisory. Customers can choose to “Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones;” “Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone,” [and] “Enable DEP for Internet Explorer 6 Service Pack 2 or Internet Explorer 7,” Microsoft noted.
“The vulnerability impacts Internet Explorer 6 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008,” Wallace stated. “Microsoft Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 on all supported versions of Microsoft Windows are not affected. This includes the recently released Windows 7. Microsoft is recommending that customers with earlier versions of the browser consider downloading the more recent version of IE to take advantage of the latest security and privacy features.”
Microsoft stressed the fact that, as the start of this week, it had not detected attacks designed to exploit the vulnerability against IE6 SP1 and IE7. However, Proof of Concept code has already been irresponsibly published in the wild putting all those still running IE6 and IE7 at risk.
“The company is aware of public, detailed exploit code that allows an attacker to gain the same rights as a local user; however, the exploit code requires an attacker to convince users to visit a maliciously-crafted Web site,” Wallace added. “The company is not aware of attacks to exploit the reported vulnerability at this time. While Microsoft is not currently aware of active attacks, the company recommends customers review and implement the workarounds outlined in the advisory until a comprehensive security update is released.”
Internet Explorer 8 (IE8) is available for download here.