December 23, 2010

New IE Browser Vulnerability

Microsoft has issued a new warning about severe vulnerability issues with all versions of its widely-popular Internet Explorer (IE) browser, saying booby-trapped webpages could allow attackers to take control of an unprotected computer.

BBC News reports that code to exploit the bug has already been published, though Microsoft said it had no evidence that the malicious strain was currently being used by hi-tech criminals.

While Microsoft works on a permanent fix for the issue, it has produced a workaround for the time being to offer some protection against the bug.

The bug revolves around the way that IE manages a computer's memory when processing Cascading Style Sheets -- a widely used technology that defines the look and feel of pages on a website.

Hi-tech hackers have long known that they can exploit IE's memory management to inject their own malware codes into the stream of instructions a computer processes as a browser is being used. In this way the criminals can get their own code running and hijack a personal computer.

Microsoft produced updates that improve memory management but security researchers found that these protection systems are not used when some older areas of Windows are utilized.

Microsoft was probing the issue and working on a permanent solution, it said in a statement. In the meantime it recommended those concerned use a protection system known as the Enhanced Mitigation Experience Toolkit.

Installing the toolkit and applying its features may require users of older Windows versions to update the operating system they are using. But even then, some of the protection it bestows on Windows 7 and Vista users will not be available.

"We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," David Forstrom, the director of Microsoft's Trustworthy Computing group, told BBC News in a statement.

"As vulnerabilities go, this kind is the most serious as it allows remote execution of code," said Rik Ferguson, senior security analyst at Trend Micro. "This means the attacker can run programs, such as malware, directly on the victim's computer."

"It is highly reminiscent of vulnerability at the same time two years ago which prompted several national governments to warn against using IE and to switch to an alternative browser," added Ferguson.


On the Net: