RealTime IT News

Microsoft Admits IE Still Flawed

IE patches

Barely a day after Microsoft updated its Internet Explorer browser to patch no less than four separate vulnerabilities, a new flaw has emerged that could allow remote code execution.

In a public advisory issued late Wednesday, Microsoft (NASDAQ: MSFT) confirmed that it is investigating public reports of attacks take advantage of the new IE vulnerability, but added that it's thus far seen only what it called "limited attacks".

It did not elaborate on the attacks or on the exact nature of the vulnerability.

Security research firm eEye, however, identified the new vulnerability as an XML Zero-Day (define) flaw. Likewise, Symantec researcher Elia Florio pinpointed the problem as affecting the XML parsing engine in IE7.

"The vulnerability depends on how certain elements of HTML pages are terminated and therefore could potentially affect not only XML, but also other objects handled by the browser," Floria wrote in a Symantec security forum posting.

In its advisory, Microsoft noted that Windows Visa users are at less risk if they run IE7 in Protected Mode, which isolates the browser from the rest of the operating system with different user privileges.

Microsoft also suggests workarounds in its advisory to help users protect themselves against the new issues. They include setting the Internet and Local security zone settings to "High," which will force the browser to prompt users before it runs any ActiveX controls from a Web site.

"Internet Explorer remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be across any site on the Internet," Andre Protas, eEye's director of research and preview services, said in a statement. "An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials."

Microsoft has not yet publicly stated whether it will issue an out-of-cycle patch for the issue, and did not return requests for comment by press time.

However, in its advisory, Microsoft did indicate that a fix may be forthcoming in some capacity if the company decides it's necessary.

"On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs."