In association with heise online

19 January 2010, 18:12

Hole in Internet Explorer: Good news and bad news

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

According to reports, Microsoft plans to release an emergency patch to close the hole in Internet Explorer that has been exploited for attacks on vendors, such as Google, before the end of this week. The patch is currently undergoing quality assurance testing.

One can only hope that Microsoft will deliver, as the likelihood of successful attacks is increasing. Microsoft's IE exploitability assessment, which states that it's mainly the users of Internet Explorer 6 under Windows 2000 and XP that are at risk, has been contradicted by several security specialists. Microsoft currently recommends that users switch to Internet Explorer 8 because, although this version is vulnerable, they say the hole cannot be exploited while the Data Execution Prevention (DEP) feature is enabled.

This may be true for the first exploit that appeared. However, browser specialist Dino Dai Zovi says he has developed an exploit which also works with Internet Explorer 7 under Vista. Furthermore, security firm Vupen have reportedly developed an exploit for Internet Explorer 8 which apparently also works while DEP is enabled, therefore invalidating the "fix it" solution released by Microsoft yesterday, which simply enables DEP. According to Vupen, the only functional protective measure is to disable JavaScript. Vupen has made their example exploit available only to their own customers for testing purposes.

Microsoft say they are not currently aware of any criminals exploiting the hole for deploying malware such as trojans via drive-by downloads. Nevertheless, it is advisable to use an alternative browser such as Firefox or Opera until an update has been released.

See also:

(crve)

 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit