Microsoft Warns of Zero Day Bug Affecting Internet Explorer 6-8

rated by 0 users
This post has 3 Replies | 0 Followers

Top 10 Contributor
Posts 26,110
Points 1,183,915
Joined: Sep 2007
News Posted: Sun, Dec 30 2012 11:03 AM
Microsoft is currently investigating reports of a zero day bug affecting Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, the company announced in a Security Advisory. At issue is a remote code execution vulnerability that would allow attackers to seize control of a Windows PC.

How it works is IE attempts to reference and use an object that had previously been freed. The components of an exploit for such a vulnerability are typically:
  • Javascript to trigger the Internet Explorer vulnerability
  • Heap spray or similar memory preparation to ensure the memory being accessed after it has been freed is useful
  • A way around the ASLR platform-level mitigation
  • A way around the DEP platform-level mitigation

Microsoft suggests disabling certain services while it works on a patch. Alternately, you can use an different browser like Google Chrome

"The IE team is working around the clock to develop a security update to address this vulnerability for earlier versions of the product," Microsoft stated. " However, until the update is available, customers using Internet Explorer 8 can block the current targeted attacks by introducing changes to disrupt any of the elements of the exploit."

Those changes include disabling Javascript, disabling Flash, and disabling the MS-Help protocol handler along with ensuring "Java6" is not allowed to run.

The vulnerability is not present in IE9 or IE10.
  • | Post Points: 20
Top 500 Contributor
Posts 164
Points 1,630
Joined: Nov 2010
MCaddick replied on Sun, Dec 30 2012 3:19 PM

Who the heck still uses any browser (from any browser maker) that is so old?

Just leave it unpatched. At least that way some of the users might update their browsers to versions a bit more recent.

  • | Post Points: 20
Top 10 Contributor
Posts 5,053
Points 60,715
Joined: May 2008
Location: U.S.
3vi1 replied on Sun, Dec 30 2012 3:37 PM

>> Who the heck still uses any browser (from any browser maker) that is so old?

Corporations. My company bought so deep into the IE6 crap that we still have IE6 and IE8 as our only browsers on the desktop. This is why I stress to everyone: DON'T USE PROPRIETARY THINGS.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?


  • | Post Points: 20
Top 200 Contributor
Posts 447
Points 5,270
Joined: Jul 2010
Location: Cincinnati
sackyhack replied on Sun, Dec 30 2012 5:37 PM

Yeah, we had that problem until a couple of years ago; at least my company upgraded to W7 a while ago, but now there's this ridiculous mess of our intranet data management GUI some employees need uses a more recent version of Flash while the IT refuses to upgrade and it's causing all sorts of problem

  • | Post Points: 5
Page 1 of 1 (4 items) | RSS