Microsoft issues warning about critical IE hole
If you surf the web during the upcoming holidays, you might want to be especially careful. An exploit recently went into circulation for a critical security flaw in Internet Explorer (IE), so you could infect your computer if you visit a specially crafted malicious website. In an advisory, Microsoft warns of the danger, confirming reports claiming that Internet Explorer versions 6 to 8 are vulnerable in all Windows editions.
The exploit takes advantage of a vulnerability in the handling of the @import tag in Cascading Style Sheets (CSS) to overcome Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR). As a workaround, the vendor recommends toughening up iexplore.exe with the free security tool called EMET. For a detailed background article, see "Damage limitation - Mitigating exploits with Microsoft's EMET" from The H Security. A patch is currently being worked on, but Microsoft has not yet said whether it will be released separately or on the next patch Tuesday.
According to Microsoft, the malicious code only runs with limited rights under Windows Vista and Windows 7 because IE handles webpages in the Protected Mode by default on those operating systems. Otherwise, the exploit starts off with the registered user's rights, which is a particular problem with Windows XP as users often constantly work with admin rights there. Under Windows Server 2003 and 2008, websites are loaded with the highest security level in the standard configuration, which Microsoft says at least reduces the extent of the attack.