Business IT Support

Microsoft has confirmed reports of a new vulnerability that affects both Internet Explorer 6 and Internet Explorer 7, but not Internet Explorer 8.

Microsoft has issued Security Advisory 977981 in regard to public reports of a vulnerability that exists as an invalid pointer reference of Internet Explorer. Under certain conditions, it is possible for a CSS/Style object to be accessed after the object is deleted, and thus, if Internet Explorer attempts to access the supposedly freed object, it can end up running attacker-supplied code. IE6 SP1 on Windows 2000 SP4, as well as IE6 and IE7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected. Microsoft notes that IE 5.01 SP4 and IE8 on all supported versions of Windows are not affected, but of course IE6 and IE7 still account for over 40 percent of the browser market.

Exploit code for the flaw was first posted late last week on the BugTraq mailing list (see either securityfocus.com or seclists.org). Microsoft noted its concern that this new report of the vulnerability was not responsibly disclosed, potentially putting computer users at risk, but that it is not aware of any attacks that try to use the reported vulnerability against IE6 and IE7. Redmond says it is actively monitoring the situation and may provide a security update on an upcoming Patch Tuesday or an out-of-cycle patch once it is ready. The next Patch Tuesday is scheduled for December 8, 2009, but we’re not likely to see a patch out that soon.

In addition to the latest version being unaffected by this vulnerability, Microsoft offered four other mitigating factors:

• Protected Mode in IE7 on Windows Vista limits the impact of the vulnerability.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High and so is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which should mitigate attacks trying to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Microsoft also offered three workarounds for the new IE flaw. The first one explains how to set the Internet and Local intranet security zone settings to “High” so that the browser prompts the user before running ActiveX Controls and Active Scripting in these zones. The second one details how to configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. Finally, the last one suggests enabling Data Execution Prevention (DEP) for IE6 SP2 or IE7. All three are explained with step-by-step instructions in the security advisory and can be done by simply changing settings in Internet Explorer.

In December 2008, Microsoft released an out-of-band security update for Internet Explorer and encouraged all users to run Windows Update or Microsoft Update to download the fix.

An interesting new vulnerability has popped up in Firefox browsers, leaving many users open to attack.  The vulnerability is actually a plug in for Firefox browsers designed by……(drumroll, please)….. You guessed it.. Microsoft

The vulnerability can be exploited when users visit malicious Web pages that contain specially crafted XAML-Coded content.

On Tuesday, Microsoft sent out an Internet Explorer patch to fix the vulnerability, by way of Windows Automatic updates. Although the IE patch is said to fix the problem with both Firefox and Internet Explorer browsers, many Firefox users are still reporting unresolved issues.

In order to protect people who are not yet patched, Firefox has added Microsoft’s plugin to its add-on blocklist, causing it to be automatically disabled by the browser, until a Universal fix can resolve the vulnerabilities of the plugin.

Mike Shaver, Firefox’s vice president of engineering, described the security problem in a blog entry posted Friday in the official Firefox security blog.

“Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the  plugin for all users via our blocklisting mechanism,” he wrote. “Microsoft agreed with the plan, and we put the blocklist entry live immediately.”

Plugin security vulnerabilities are a major problem for corporations, small businesses, and family users, due to their nature. These bugs are especially tempting to hackers because they often are a great way to affect multiple browsers and provide a larger audience of potential victims.

Our clients who are enjoying ongoing maintenance services are up to date,  and as always clients on the Managed Protection plans were protected considerably before the vulnerability was ever publicly disclosed.