Internet Explorer still a problem child
Microsoft can find no peace with Internet Explorer. At the forthcoming Black Hat security conference, security specialist Jorge Luis Alvarez Medina from Core Security plans to demonstrate vulnerabilities which can be exploited by a crafted website to read arbitrary files from a Windows PC.
Core Security reported two other such cross-domain vulnerabilities to Microsoft in 2008 and 2009 (here and here), for which Microsoft released updates. So far, however, Microsoft has merely patched things up without addressing the actual core problem. There are other routes for getting around the zone model however. According to Medina, these routes are very hard to block, since they relate to fundamental functions of the browser designed to enable it to work seamlessly with other applications.
All versions of Internet Explorer, from version 6 to 8, on all versions of Windows including Windows 7 are affected. Microsoft is reported to have been informed of the problem and to be working with Core Security on a solution. There are no reports of successful attacks making use of this vulnerability. To date neither Medina nor Microsoft have issued any advice on protection.
Just last week, Microsoft was forced to release an emergency patch to fix a critical vulnerability in its browser which is thought to have been used by Chinese hackers to penetrate Google, Adobe and other US businesses.
Users should consider using an alternative, such as Firefox, Chrome or Opera. Although these browsers also contain critical security vulnerabilities – with developers frequently fixing critical bugs in Firefox in particular – there have so far been almost no zero day exploits for these vulnerabilities. Criminals continue to concentrate their attacks on Internet Explorer. Firefox's growing market share may mean, however, that it too could soon find itself under increasing fire.
- Microsoft Security Bulletin MS10-002 - Critical, security advisory from Microsoft.
- Security feature of Internet Explorer 8 unsafe, a report from The H.
- Windows hole discovered after 17 years, a report from The H.
- Internet Explorer hole: Help is at hand, a report from The H.
- Hole in Internet Explorer: Good news and bad news, a report from The H.
- Targeted attacks on businesses continue, a report from The H.
- Warning over using Internet Explorer from German Government as exploit goes public, a report from The H.