facebook rss twitter

Microsoft warns against IE vulnerability, lists nine possible workarounds

by Parm Mann on 16 December 2008, 09:41

Tags: Internet Explorer 7, Microsoft (NASDAQ:MSFT)

Quick Link: HEXUS.net/qaqhu

Add to My Vault: x

A vulnerability in Internet Explorer could allow remote code execution, said Microsoft in a security advisory published last week.

The yet-to-be-patched security flaw allows web sites to run malicious code that could activate small applications designed to steal a user's passwords and confidential data. Last week, the security advisory (#961051) appeared amid a usual long list of similar security flaws. With very few users batting an eyebrow, few questions were asked as - to Microsoft's credit - many have to come to expect these regular flaws to be swiftly resolved.

However, Microsoft's original advisory stated that the attacks were only occurring on version 7 of its Internet Explorer browser. The following day, it revised the advisory to warn that various versions of Internet Explorer on multiple Windows operating systems are at risk.

A week later and the flaw appears to have gathered widespread interest from the hacking community. Trend Micro, an anti-virus specialist, now suggests that some 10,000 websites have been manipulated into exploiting the flaw - putting Internet Explorer's millions of users at risk.

In response, Microsoft has made available a set of user workarounds that it believes will help protect against the flaw until an official solution is made available. The Microsoft-tested workarounds are listed below and further details on each suggestion are available as part of a Microsoft TechNet blog post:

  • Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Disable XML Island functionality
  • Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL
  • Disable Row Position functionality of OLEDB32.dll
  • Unregister OLEDB32.DLL
  • Use ACL to disable OLEDB32.DLL
  • Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008
  • Disable Data Binding support in Internet Explorer 8 Beta 2

As a result of the rapidly-growing impact of the flaw, Microsoft has stated that it may issue an out-of-cycle security update to help protect its customers. Security experts, meanwhile, are urging users of the world's most popular browser to seek out an alternative until the flaw is resolved.

Source: Microsoft TechNet

HEXUS Forums :: 5 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by cheesemp - Tue 16 Dec 2008 12:59
As if anyone still needs a reason to avoid IE like the plague…
Posted by TheAnimus - Tue 16 Dec 2008 13:46
yes, because luckily every oher browser + platform has NEVER suffered a security bug.

The beeb was quite dramatic in quoting someone who said they should stop using IE, but noting that hackers will focus on what ever the dominant browser is.

No, what makes sense is to run your browser as a VERY restricted user.
Posted by Splash - Tue 16 Dec 2008 13:53
Bear in mind that it's also any other application that uses IEs engine that will be affected. So please, stop turning off UAC and run your day to day stuff as a restricted user. You may find that it makes you feel like a noob for a short while but at the end of the day it makes perfect sense.
Posted by Ciber - Tue 16 Dec 2008 18:56
I'm using Chrome and I like it!
Posted by Perfectionist - Tue 16 Dec 2008 19:17
Firefox + Noscript = no worries for practically anything.