Microsoft confirms critical vulnerability in Internet Explorer
Microsoft has confirmed the existence of the critical security vulnerability that was reported over the weekend and released information on which systems are affected. According to the report, Internet Explorer 6 SP1 under Windows 2000 Service Pack 4 and Internet Explorer 6 and 7 under Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 are all vulnerable. The bug is not, however, present in Internet Explorer 5.01 SP4 or Internet Explorer 8.
Microsoft is working on a security update and is in the meantime advising users to set the security level for the 'Internet' and 'Local intranet' zones to high. Alternatively, they recommend deactivating Active Scripting completely, however this does prevent many websites from working properly. According to the report, data execution prevention (DEP) should also frustrate attacks. With Internet Explorer 7 under Vista, protected mode, which is activated by default, should at least reduce the effects of an attack.
According to the report, Microsoft Outlook, Microsoft Outlook Express and Windows Mail are also in theory affected, but Active Scripting should be prevented by the fact that the default setting is to open HTML email with the privileges of restricted sites.
- New critical vulnerability in Internet Explorer, a report from The H Security.