News

Microsoft Advises Upgrading IE 6 To Avoid Bug

• By Jabulani Leffall
• January 19, 2010

Microsoft provided more advice about a zero-day Internet Explorer vulnerability exploited by hackers last week.

The bug enabled attacks on Google and other companies, Microsoft has confirmed, but IE 6 appears to be the only browser version affected, the company announced this week. Microsoft hasn't heard of successful attacks against IE 7 and IE 8, according to George Stathakopoulos, Microsoft's general manager of Trustworthy Computing Security, in a blog post on Sunday.

On Monday, Jerry Bryant, Microsoft's senior security communications manager, added that Microsoft is investigating proof-of-concept vulnerabilities in IE 7 and IE 8.

"Earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista," Bryant wrote. "We are actively investigating, but cannot confirm, these claims."

Stathakopoulos downplayed the extent of the damage, saying that "we are only seeing very limited number of targeted attacks against a small subset of corporations."

German and French agencies reacted swiftly, advising people to switch from Internet Explorer to other browsers, according to a report published on Tuesday by the Wall Street Journal.

Microsoft may release an "out-of-band update," which will likely be announced sometime on Jan. 19, according to Ed Bott's blog. The company released a security advisory last week that outlines some steps to take in the meantime. Microsoft also recommended on Monday that users upgrade to more recent versions of IE, particularly IE 8, because of the "the improved security protection it offers," Bryant wrote.

Microsoft and third-party software security companies have recommended turning on a feature in Windows called "data execution protection" (DEP). DEP is turned on by default for Windows XP Service Pack 3 users, Stathakopoulos noted.

However, enabling DEP is just one step, according to Richie Lai, director of vulnerability research at security firm Qualys.

"First, you are protected from this specific known exploit if Data Execute Protection (DEP) is enabled in the operating system," Lai said. "While DEP has been proven to stop exploits like this, there are known ways to bypass DEP if you can get code running."

Another mitigating factor, Lai explained, is deploying address space layout randomization (ASLR). Lai added that IE platforms where both DEP and ASLR are enabled make "exploitation is extremely difficult."

Lai said Windows XP users should consult Microsoft's "Fix it" section from its advisory and that this will enable DEP for IE 6 or 7 on XP.

It's important to note that the problem doesn't begin and end with IE, according to Fraser Howard, principal virus researcher at SophosLabs.

"Actually, many other applications that the browser may interact with may be targeted by attackers (browser plug-ins, extensions and the like)," Howard wrote in a blog post on Monday. "A topical example currently would be (the ubiquitous) Adobe Reader, which has been somewhat hammered by malware throughout 2009…."

Microsoft pointed consumer users who think they have been affected by the bug to this page for help.