Microsoft issued a new advisory late Wednesday, warning Internet Explorer (IE) users of the potential for data leakage as a result of new publicly disclosed IE zero-day vulnerabilities.
The IE vulnerabilities could result in information disclosure for users running any version of the browser on Windows XP or users who have disabled Internet Explorer Protected Mode. The software giant said it is unaware of any IE zero-day attacks targeting the vulnerabilities.
An attacker could target the hole by setting up a drive-by attack on a webpage. Microsoft said malicious code could also be served up in certain Web advertisements.
Until a patch is issued, a temporary Microsoft Fix-it (direct download) has been made available for Windows XP users. It automates Network Protocol Lockdown and can be deployed by enterprises through their automated systems, Microsoft said. In addition, Microsoft also provided a guide for system administrators describing manual steps for deploying the temporary network protocol fix.
Microsoft said users running IE 7 or 8 on Windows Vista and Windows 7 are not vulnerable to the flaw because the default configuration puts users in IE Protected Mode.
Danish
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
vulnerability clearinghouse Secunia gave the IE zero-day vulnerability a "moderately critical" rating. Secunia said an error results when the browser incorrectly handles redirections bypassing domain restrictions. It results in disclosure of some local files. A second flaw results when the browser handles a "dynamically created object," also disclosing certain files.
"Successful exploitation of the vulnerabilities requires that the full path to a target file is known prior to the attack," Secunia said in its advisory.
Patch issued for corporate attacks targeting IE 6 users.
Microsoft issued an emergency, out-of-band update last month addressing eight vulnerabilities in Internet Explorer. The update was the result of high-profile, ongoing attacks targeting corporate users of IE 6 on Windows XP.
The attacks were carried out against Google, Adobe Systems Inc. and more than 30 other companies. Microsoft said all the vulnerabilities can lead to either information disclosure or enable an attacker to take complete control of a system.