Microsoft says a serious zero-day flaw is being actively exploited by attackers, affecting Internet Explorer 6 and 7.
The vulnerability was announced on Tuesday, the same day that Microsoft released its monthly patches, distributing two patches to address eight vulnerabilities in Windows and Microsoft Office. Microsoft ranked both patches as "important".
Microsoft said it is investigating public reports of the flaw in IE6 and IE7, which could allow an attacker to execute malicious code remotely on a user's system — for instance, by tricking the user into visiting a malicious web page.
The latest version of the browser, IE8, is not affected by the flaw, nor is IE5.01 Service Pack 4 on Windows 2000 Service Pack 4, Microsoft said in an advisory.
The bug is due to an invalid pointer reference being used in IE, according to Microsoft.
"It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted," the company stated. "In a specially crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."
Microsoft acknowledged that attackers are attempting to exploit the bug. The company said it may provide a patch through its monthly security updates or via an out-of-cycle update.
Microsoft said the use of Protected Mode — a security feature in Windows Vista and Windows 7 — would give a successful attacker very limited system access.
The company also noted that all supported versions of Microsoft Outlook, Microsoft Outlook Express and Windows Mail open HTML email messages in the Restricted Sites zone, meaning an attacker would not be able to carry out an attack via an email message.
Independent security firm Secunia said in an advisory that the bug is "extremely critical", and advised users against visiting untrusted sites.
Talkback
So it is okay to give an attacker limited access to the system? Typical of MS software, and we wonder why there are so many viruses, trojans, rootkits, adware, malware, and other nasties involving MS software. Just more reasons to switch to firefox, or Opera. Using windows, and IE is double jeopardy.
Ok, there is a very fundamental problem here. Microsoft claims that exploiting this latest security hole will result in "very limited access". But this is a bug we're talking about, right? They presumably didn't design it in, and presumably didn't even know it was there or realize that it could be exploited. But we are supposed to believe that they know everything there is to know about every way this can be exploited, and thus that they can say with confidence and authority that it results in "very limited access"? Someone here doesn't understand either the definition or the nature of "bugs".
I also find it enlightening, and somewhat amusing, that an independent security company rates this problem as "critical", but Microsoft says "we'll get around to fixing it sometime, maybe a month from now. Maybe not".
jw