News

Microsoft Advises Upgrading IE 6 To Avoid Bug

Microsoft provided more advice about a zero-day Internet Explorer vulnerability exploited by hackers last week.

The bug enabled attacks on Google and other companies, Microsoft has confirmed, but IE 6 appears to be the only browser version affected, the company announced this week. Microsoft hasn't heard of successful attacks against IE 7 and IE 8, according to George Stathakopoulos, Microsoft's general manager of Trustworthy Computing Security, in a blog post on Sunday.

On Monday, Jerry Bryant, Microsoft's senior security communications manager, added that Microsoft is investigating proof-of-concept vulnerabilities in IE 7 and IE 8.

"Earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista," Bryant wrote. "We are actively investigating, but cannot confirm, these claims."

Stathakopoulos downplayed the extent of the damage, saying that "we are only seeing very limited number of targeted attacks against a small subset of corporations."

German and French agencies reacted swiftly, advising people to switch from Internet Explorer to other browsers, according to a report published on Tuesday by the Wall Street Journal.

Microsoft may release an "out-of-band update," which will likely be announced sometime on Jan. 19, according to Ed Bott's blog. The company released a security advisory last week that outlines some steps to take in the meantime. Microsoft also recommended on Monday that users upgrade to more recent versions of IE, particularly IE 8, because of the "the improved security protection it offers," Bryant wrote.

Microsoft and third-party software security companies have recommended turning on a feature in Windows called "data execution protection" (DEP). DEP is turned on by default for Windows XP Service Pack 3 users, Stathakopoulos noted.

However, enabling DEP is just one step, according to Richie Lai, director of vulnerability research at security firm Qualys.

"First, you are protected from this specific known exploit if Data Execute Protection (DEP) is enabled in the operating system," Lai said. "While DEP has been proven to stop exploits like this, there are known ways to bypass DEP if you can get code running."

Another mitigating factor, Lai explained, is deploying address space layout randomization (ASLR). Lai added that IE platforms where both DEP and ASLR are enabled make "exploitation is extremely difficult."

Lai said Windows XP users should consult Microsoft's "Fix it" section from its advisory and that this will enable DEP for IE 6 or 7 on XP.

It's important to note that the problem doesn't begin and end with IE, according to Fraser Howard, principal virus researcher at SophosLabs.

"Actually, many other applications that the browser may interact with may be targeted by attackers (browser plug-ins, extensions and the like)," Howard wrote in a blog post on Monday. "A topical example currently would be (the ubiquitous) Adobe Reader, which has been somewhat hammered by malware throughout 2009…."

Microsoft pointed consumer users who think they have been affected by the bug to this page for help.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.