Microsoft investigating new Internet Explorer vulnerability
by Steve Ragan - Feb 4 2010, 09:00Microsoft has said it is investigating a publically reported vulnerability in Internet Explorer that could allow information disclosure on Windows XP systems, or those with Windows Vista or Windows 7 running with Protected Mode disabled.
The vulnerability centers on issues within the handling of the 'file: protocol', and can be exploited by malicious ActiveX controls or other scripts. If the file: protocol is run in the Internet zone, the attacker can use it to access files on the victim’s computer.
“An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site,” said Microsoft through an official advisory [link].
“The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability,” it added.
Microsoft goes on to mention other attack vectors that have been compromised, such as IM traffic and advertising networks -- with each vector mentioned existing as one already exploited in the past. While there have been no reports in the wild using this particular vulnerability against Internet users, it's likely just a matter of time.
Internet Explorer 5.01 and Internet Explorer 6 on Windows 2000 (Service Pack 4) are impacted, as well as Internet Explorer versions 6, 7, and 8 on Windows XP (Service Pack 2, Service Pack 3, and Server 2003 Service Pack 2).
“Customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode, which protects from this issue," said Jerry Bryant on the MSRC blog.
Windows XP users, or users who have disabled Protected Mode, can help protect themselves by implementing Network Protocol Lockdown, he added.
Microsoft has already released a 'Fix It' patch [link] to help mitigate the issue.
More information is here.
Comment on this Story