News

Microsoft Advises Upgrading IE 6 To Avoid Bug

Microsoft provided more advice about a zero-day Internet Explorer vulnerability exploited by hackers last week.

The bug enabled attacks on Google and other companies, Microsoft has confirmed, but IE 6 appears to be the only browser version affected, the company announced this week. Microsoft hasn't heard of successful attacks against IE 7 and IE 8, according to George Stathakopoulos, Microsoft's general manager of Trustworthy Computing Security, in a blog post on Sunday.

On Monday, Jerry Bryant, Microsoft's senior security communications manager, added that Microsoft is investigating proof-of-concept vulnerabilities in IE 7 and IE 8.

"Earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista," Bryant wrote. "We are actively investigating, but cannot confirm, these claims."

Stathakopoulos downplayed the extent of the damage, saying that "we are only seeing very limited number of targeted attacks against a small subset of corporations."

German and French agencies reacted swiftly, advising people to switch from Internet Explorer to other browsers, according to a report published on Tuesday by the Wall Street Journal.

Microsoft may release an "out-of-band update," which will likely be announced sometime on Jan. 19, according to Ed Bott's blog. The company released a security advisory last week that outlines some steps to take in the meantime. Microsoft also recommended on Monday that users upgrade to more recent versions of IE, particularly IE 8, because of the "the improved security protection it offers," Bryant wrote.

Microsoft and third-party software security companies have recommended turning on a feature in Windows called "data execution protection" (DEP). DEP is turned on by default for Windows XP Service Pack 3 users, Stathakopoulos noted.

However, enabling DEP is just one step, according to Richie Lai, director of vulnerability research at security firm Qualys.

"First, you are protected from this specific known exploit if Data Execute Protection (DEP) is enabled in the operating system," Lai said. "While DEP has been proven to stop exploits like this, there are known ways to bypass DEP if you can get code running."

Another mitigating factor, Lai explained, is deploying address space layout randomization (ASLR). Lai added that IE platforms where both DEP and ASLR are enabled make "exploitation is extremely difficult."

Lai said Windows XP users should consult Microsoft's "Fix it" section from its advisory and that this will enable DEP for IE 6 or 7 on XP.

It's important to note that the problem doesn't begin and end with IE, according to Fraser Howard, principal virus researcher at SophosLabs.

"Actually, many other applications that the browser may interact with may be targeted by attackers (browser plug-ins, extensions and the like)," Howard wrote in a blog post on Monday. "A topical example currently would be (the ubiquitous) Adobe Reader, which has been somewhat hammered by malware throughout 2009…."

Microsoft pointed consumer users who think they have been affected by the bug to this page for help.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.

  • Microsoft Cuts Windows 11 Recovery Time with New Update

    Microsoft has introduced two key enhancements to Windows 11 aimed at minimizing downtime and streamlining error resolution.

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.