Microsoft Issues Workaround for IE 6 and 7 Flaw

Microsoft published a workaround for an in-the-wild vulnerability in Internet Explorer 6 and 7, described last week.

The vulnerability, which doesn't affect IE 8, was first disclosed in a March 9 security advisory, which suggested that the bug could enable remote code execution-type exploits. Microsoft is considering releasing an out-of-band fix. On Friday, the company added a workaround to the advisory.

According to Redmond, IT administrators can leverage the workaround by "disabling the peer factory class through the modification of a registry key." To simplify matters, Microsoft pointed IT administrators to a Microsoft Fix It link that the company says will automate the workaround for Windows XP and Windows Server 2003 customers.

In an e-mailed statement, Microsoft Security Response Center spokesman Jerry Bryant said that his group is "working hard to produce an update which is currently in the testing phase."

Microsoft's continued testing of the vulnerability is "a critical and time-intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows," Bryant said.

He also warned that customers should test the workaround "thoroughly before deploying as certain functionality that depends on the peer factory class...may be affected." Such functions include printing a document from a Web page using IE or saving a Web page file during an IE session. Those two functions in particular, according to Bryant, may be affected by the installation of the workaround.

Andrew Storms, director of security at nCircle, believes that much like the IE zero-day bug in January, which received a lot of press because of its involvement in the "Aurora" exploit that hit Google, this bug will get what he called swift "mitigation assistance."

"The good news is that, at this time, IE 8 is not affected," Storms said. "There's no doubt that this new bug will be fodder for the ongoing security discussion that is a key part of the browser wars."

Bryant didn't specify if or when Microsoft's investigation might yield an out-of-band update. "We never rule out the possibility of an out-of-band update," he said regarding this IE bug.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Sweetens Windows 7 Extended Security Updates for E5 Licensees

    In a promotional offer, organizations that have E5 licensing can get a year of free access to Microsoft's Extended Security Updates program for Windows 7.

  • Rollout Begins for HoloLens 2

    Microsoft started shipping the new version of its mixed reality headset, the HoloLens 2, on Thursday.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.