Microsoft has confirmed reports of a new vulnerability that affects both Internet Explorer 6 and Internet Explorer 7, but not Internet Explorer 8.
Microsoft has issued Security Advisory 977981 in regard to public reports of a vulnerability that exists as an invalid pointer reference of Internet Explorer. Under certain conditions, it is possible for a CSS/Style object to be accessed after the object is deleted, and thus, if Internet Explorer attempts to access the supposedly freed object, it can end up running attacker-supplied code. IE6 SP1 on Windows 2000 SP4, as well as IE6 and IE7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected. Microsoft notes that IE 5.01 SP4 and IE8 on all supported versions of Windows are not affected, but of course IE6 and IE7 still account for over 40 percent of the browser market.
Exploit code for the flaw was first posted late last week on the BugTraq mailing list (see either securityfocus.com or seclists.org). Microsoft noted its concern that this new report of the vulnerability was not responsibly disclosed, potentially putting computer users at risk, but that it is not aware of any attacks that try to use the reported vulnerability against IE6 and IE7. Redmond says it is actively monitoring the situation and may provide a security update on an upcoming Patch Tuesday or an out-of-cycle patch once it is ready. The next Patch Tuesday is scheduled for December 8, 2009, but we’re not likely to see a patch out that soon.
In addition to the latest version being unaffected by this vulnerability, Microsoft offered four other mitigating factors:
- Protected Mode in IE7 on Windows Vista limits the impact of the vulnerability.
- By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High and so is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which should mitigate attacks trying to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
Microsoft also offered three workarounds for the new IE flaw. The first one explains how to set the Internet and Local intranet security zone settings to “High” so that the browser prompts the user before running ActiveX Controls and Active Scripting in these zones. The second one details how to configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. Finally, the last one suggests enabling Data Execution Prevention (DEP) for IE6 SP2 or IE7. All three are explained with step-by-step instructions in the security advisory and can be done by simply changing settings in Internet Explorer.
In December 2008, Microsoft released an out-of-band security update for Internet Explorer and encouraged all users to run Windows Update or Microsoft Update to download the fix.