Microsoft confirmed late Monday that a zero-day
The proof-of-concept code first appeared over the weekend, when it was posted anonymously on Symantec’s (NASDAQ: SYMC) popular BugTraq security mailing list.
When the bug and proof-of-concept code to exploit first appeared, Microsoft Microsoft (NASDAQ: MSFT) said it was looking into the issue. But now, the company has begun working on a patch, according to a Microsoft Security Advisory.
The company has yet to disclose timing for the release, which it said would be available as soon as it’s been developed and tested.
“At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 … and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes,” the security advisory said.
The hole is not present in the latest version of Microsoft’s browser — IE8 — which shipped in March.
However, it does exist in earlier releases — specifically IE6 and IE7.
That poses a major problem, since there are more users running IE6 and IE7 than IE8. Microsoft would love to kill off IE6 due to its age and the number of bugs that have been found in the oldest affected browser, but it is used by an overwhelming number of both consumer and corporate users.
For instance, Web analytics firm Net Applications’ latest figures show IE6 with 23.3 percent of all browser use worldwide. IE7 usage statistics add another 18.16 percent, for a total of 41.5 percent of browsers at risk from the new exploit.
IE8, in contrast, has 18.12 percent of browser use. That means that nearly half of all browsers have the vulnerability.
The problem itself lies in a portion of browser code known as Cascading Style Sheets, or CSS. A hacker could compromise a user’s computer by simply luring the user to visit a malicious Web page or a page that has been compromised.
It’s the latest high-profile critical security vulnerability to hit Microsoft in recent months.
In October, for example, the company had the largest number of patches in its history — fixing 34 individual holes with 13 patches.
The previous record was only last June when Microsoft fixed 31 holes.
While Microsoft has begun work on a patch — a move that signals the danger implicit in the zero-day vulnerability — the company also has offered workarounds for the latest flaw: Chiefly, upgrading those aging browsers.
“Microsoft is recommending that customers with earlier versions of the browser consider downloading the more recent version of IE to take advantage of the latest security and privacy features,” Alan Wallace, a spokesperson for Microsoft security response communications, said in an e-mail to InternetNews.com.
For those not prepared to go that far, users should consider setting their security in IE6 and IE7 to “High,” according to Microsoft.
“Setting the Internet zone security setting to ‘High’ protects against this vulnerability by disabling scripting, [and] disabling less-secure features in Internet Explorer,” the company said in its security advisory.