February 4, 2010

Microsoft Investigates Another IE Security Hole

After recently fixing a security flaw in its Internet Explorer browser last month, Microsoft is now looking into a new vulnerability in its browser software.

Microsoft Trustworthy Computing group manager Dave Forstrom told AFP on Wednesday that Microsoft is probing the issue with its Internet browser. "We're currently unaware of any attacks trying to use the vulnerability or of customer impact, and believe customers are at reduced risk due to responsible disclosure," he said.

According to Microsoft, the issue is unrelated to cyber attacks disclosed by Google, and the threats are limited to users of the Windows XP computer system. Furthermore, the flaw only affects computers that are using IE with Protected Mode disabled, according to senior security communications manager Jerry Bryant.

"People running IE 7 or 8 default configurations on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Protected Mode," said Bryant.

The flaw was brought to Microsoft's attention during a Black Hat technology security conference in Washington, D.C. on Wednesday.

A computer defense firm made the initial discovery of the vulnerability.

Microsoft issued a security advisory warning of the danger to XP users and recommended the "Network Protocol Lockdown" feature and IE software be set to Protected Mode.

The best advice Microsoft is offering is for anyone running older Windows systems and/or IE browser versions to upgrade to Windows 7 and get the latest IE 8 browser, which have significant safeguards against hackers.

Once Microsoft is done investigating the issue, it will take appropriate action to help customers be safe against these attacks, said Forstrom. "This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."

The norm for Microsoft is to release security updates on the second Tuesday of every month when it deems fixes urgent. This could be the second time in as many weeks that it will issue an out-of-cycle patch to protect customers from cyber crime.

The previous attack, which caused Microsoft to release its unscheduled patch, was met with great concern for Google as they threatened to sever Internet ties with China where the crimes were based. Although the crimes were originated from Chinese systems and targeted the email accounts of Chinese human rights groups around the world, Google made it clear that accusations were not against the Chinese government.

MacAfee anti-virus firm said that the attacks on Google and other companies were more sophisticated than that of usual cyber criminals. The attackers used email and other services to lure employees of targeted companies to click on a link and visit a specially crafted website using IE. Once the user reached the site, malware would then be downloaded automatically that would potentially give hackers full access to the user's computer through an elaborate system of "back doors."


On the Net: