Critical zero-day exploit in IE 6, 7, and 8 allows complete takeover


Internet Explorer 8

Update your browser! On Saturday, Microsoft posted a security advisory that warns that Internet Explorer 6, 7, and 8 are vulnerable to a remote code execution bug. It even notes that an attempt to exploit this bug in IE 8 has already been found in the wild. Luckily, IE 9 and 10 are not affected. If you can update, do so immediately.

Microsoft explains that in its default state, Internet Explorer running on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 isn’t vulnerable. Microsoft Outlook, Microsoft Outlook Express, and Windows Mail also don’t appear to be affected, thanks to their increased restriction of JavaScript and ActiveX. If you can’t update to IE 9 or 10 for technical or business reasons, switching to Firefox or Chrome for general surfing will keep you safe from this specific vulnerability.

IE LogoIf updating IE and running a third-party browser aren’t options, there are workarounds. Running and properly configuring Microsoft’s Enhanced Mitigation Experience Toolkit will make the vulnerability more difficult for malicious websites to exploit. Using IE’s Security Zone feature, you can block ActiveX controls and JavaScript from running in the first place by cranking up “internet” and “local intranet” to the high setting. Alternately, you can configure IE to ask before running any scripts. It might be a pain in the neck to surf the web in this mode, but it’s better than being vulnerable to arbitrary code execution.

Microsoft does plan on issuing a patch, but it has yet to set a timeframe for the release. If need be, it will release the patch out of cycle, so that’s at least a little bit of good news for those of us affected by this bug. Internet Explorer is a huge target for black hats, and it’s only a matter of time before the next big vulnerability is found. Microsoft is working hard at making their browser as hardened as possible, but the onus remains on the user to keep out of the line of fire.

Using basic security tools like using Sandboxie while keeping your OS and anti-virus up-to-date will drastically decrease your risk of attack. That’s not enough, though. Clicking links in email and IM as well as browsing untrusted websites is still dangerous despite all of the strides in security we’ve made. Your gut is the first line of defense against security vulnerabilities. Don’t let your guard down just because security software is getting better. There is no magic bullet in security.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.