In association with heise online

23 December 2010, 13:11

Microsoft issues warning about critical IE hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

IE Logo If you surf the web during the upcoming holidays, you might want to be especially careful. An exploit recently went into circulation for a critical security flaw in Internet Explorer (IE), so you could infect your computer if you visit a specially crafted malicious website. In an advisory, Microsoft warns of the danger, confirming reports claiming that Internet Explorer versions 6 to 8 are vulnerable in all Windows editions.

The exploit takes advantage of a vulnerability in the handling of the @import tag in Cascading Style Sheets (CSS) to overcome Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR). As a workaround, the vendor recommends toughening up iexplore.exe with the free security tool called EMET. For a detailed background article, see "Damage limitation - Mitigating exploits with Microsoft's EMET" from The H Security. A patch is currently being worked on, but Microsoft has not yet said whether it will be released separately or on the next patch Tuesday.

According to Microsoft, the malicious code only runs with limited rights under Windows Vista and Windows 7 because IE handles webpages in the Protected Mode by default on those operating systems. Otherwise, the exploit starts off with the registered user's rights, which is a particular problem with Windows XP as users often constantly work with admin rights there. Under Windows Server 2003 and 2008, websites are loaded with the highest security level in the standard configuration, which Microsoft says at least reduces the extent of the attack.

Such email clients as Outlook, Outlook Express and Windows Mail use IE to display HTML email but do not initially execute JavaScript and ActiveX controls in order to make it harder for attackers to execute malicious code on a local system. But because this vulnerability is exploited via CSS, the question arises whether this information does not lull users into a false sense of security. Other programs that also use the IE component will probably also be vulnerable to these attacks.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit