Vulnerabilities / Threats
11/24/2009
04:17 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Issues Internet Explorer Security Advisory

Users of Internet Explorer 6 and 7 may be vulnerable to a malware attack.

The publication of proof-of-concept exploit code affecting Internet Explorer 6 and 7 over the weekend prompted Microsoft on Monday to issue a Security Advisory.

Microsoft says that it is investigating the reported vulnerability, which affects Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 are not affected.

Microsoft says that it is not aware of attacks attempting to exploit the reported vulnerability.

"The vulnerability exists as an invalid pointer reference of Internet Explorer," Microsoft's Advisory states. "It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code."

The fact that Internet Explorer 6 and 7 together account for about 41% of the Web browser market means attackers will be tempted to exploit the vulnerability, says Michael Sutton, VP of security research at Zscaler, a computer security company.

"Attacks such as these are also prime candidates for targeting otherwise legitimate Web sites as an attack vector," Sutton said in an e-mailed statement. "The exploit can be triggered simply via HTML code, so attackers can inject code into Web sites with weak security protections."

According to Symantec Security Response, the proof-of-concept exploit exhibits inconsistent behavior.

Symantec expects that future exploits prove more effective.

While Microsoft has yet to issue a patch for the vulnerability, its advisory offers several ways to mitigate the risk of attack.

Finding the flaws in your operating systems and applications is only the beginning. You then need to plot a path to security and ensure that no new weaknesses find their way onto your network. This Dark Reading report focuses on how to do that. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2015-2168
Published: 2015-03-03
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.