Feeds

IE zero day bites broader group of users

Misconceptions about root cause also exposed

Using blade systems to cut costs and sharpen efficiencies

Researchers are warning that the unpatched security vulnerability in Microsoft's Internet Explorer affects more versions of the browser than previously thought, and that steps users must take to prevent exploitation are harder than first published.

According to an updated advisory from Redmond, the bug that's been actively exploited since Tuesday bites versions 5.01, 6, and 8 of the browser, which is by far the most widely used on the web. A previous warning from Microsoft only said that IE 7 was susceptible to the attacks. IE is susceptible when running on all supported versions of the Windows operating systems, Microsoft also says.

What's more, while there is some protection from Vista's User Account Control, the measure doesn't altogether prevent the attack, according to this post on the Spyware Sucks blog. Microsoft and others have suggested that those who must use IE in the next few weeks set the security level to high for the internet security zone or disable active scripting. These are sensible measures, but they don't guarantee you won't be pwned, according to this post from the Secunia blog.

Secunia goes on to revise what it says is the cause of the vulnerability. Contrary to earlier reports that pinned the blame on the way IE handles certain types of data that use the extensible markup language, or XML, format, the true cause is faulty data binding, meaning exploit code need not use XML.

Microsoft has yet to say whether it plans to issue a fix ahead of next month's scheduled release. For the moment, the volume of in-the-wild attacks remains relatively modest and limited mostly to sites based in China. But because attackers are injecting exploits into legitimate sites that have been compromised, we continue to recommend that users steer clear of IE until the hole has been closed.

Plenty of other researchers have weighed in with additional details about the flaw. Links from SANS, Sophos, and Hackademix here, here and here

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.