In association with heise online

20 January 2010, 17:06

Internet Explorer hole: Help is at hand

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

IE Logo According to a press release from Microsoft Germany, it's official that Microsoft will release a patch for Internet Explorer out-of-cycle. The vendor plans to release a detailed time schedule by 9 am (Central European Time) on Thursday morning. Until then, Microsoft recommends that users switch to Internet Explorer 8, as this version offers a protected mode and more extensive security features such as Data Execution Prevention (DEP). According to Microsoft, these features can prevent all currently known attacks from being successful.

It is true that the first known exploit, which was used for the Aurora attacks, can be prevented via DEP. However, security specialists have since modified this exploit in such a way that it is now even said to work with Internet Explorer 7 under Vista and with Internet Explorer with DEP enabled. Thankfully, so far these exploits have not been circulated to a large audience. However, as the hole is situated in the code for processing a specific JavaScript object the only reliable workaround is to disable JavaScript.

Meanwhile, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) has extended (German language link) its Internet Explorer warning. The BSI reports that other Microsoft products which use the MS HTML Viewer are also affected. According to the authority, these include Microsoft Outlook (up to and including Outlook 2003), Outlook Express, Windows Mail, Windows Live Mail, the Microsoft Help system and the Microsoft Sidebar. However, this time no alternative products were recommended.

In the email clients, JavaScript is disabled by default, which generally makes them immune against specially crafted HTML emails. The Help system for processing .CHM files, on the other hand, is only vulnerable if a victim downloads and opens a specially crafted file. The Microsoft Sidebar only accesses web page information via http. To make it vulnerable, an already installed mini application would have to access a specially crafted web page – although not generally impossible, this is currently considered a rather unrealistic scenario. Users who are unsure can simply disable the Sidebar.

Update - Microsoft have now issued an English language Security Bulletin Advance Notification informing users of the patch to IE6 to be released tomorrow, 21st of January.

See also:



  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit