Microsoft Admits New IE Vulnerability Could Open Files

Microsoft has warned users that a newly-discovered flaw in the Internet Explorer browser could give hackers access to their files. The attack is the second in a month, following one which Google claims was used by China to attack it.

No attacks have been reported using the new flaw, and Microsoft has advised on secuirity settings that will prevent it. It is not yet clear whether the company will fix the weakness with a special urgent patch, or in its normal update cycle.

The new vulnerability could allow an attacker to access files on a PC, as long as the attacker already knows the file name and location. It affects users with IE running on Windows XP, or using IE with Protected Mode disabled, according to a Microsoft security advisory.

Microsoft says the vulnerability is the result of content being forced to render incorrectly from local files in such a way that information may be exposed to malicious Websites.

“At this time, we are unaware of any attacks attempting to use this vulnerability,” the advisory says. “We will continue to monitor the threat environment and update this advisory if this situation changes.”

The affected versions are Internet Explorer 5.01 Service Pack 4 (SP 4) on Windows 2000 Service Pack 4; IE 6 SP 1 on Windows 2000 SP 4; and IE 6, 7 and 8 on supported versions of Windows XP SP 2, Windows XP SP 3 and Windows Server 2003 SP 2.

“Customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode, which protects from this issue,” blogged Jerry Bryant, senior security communications lead for the Microsoft Security Response Center. “Windows XP users, or users who have disabled Protected Mode, can help protect themselves by implementing Network Protocol Lockdown. We have created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems.”

A flaw in Microsoft’s Internet Explorer version 6 was used in attacks on Google which Google claims originated in China. Microsoft patched this weakness in an out-of-band update, after attack code was circulated.

For the new vulnerability,Microsoft suggests users set Internet and local intranet settings to High so there is a prompt before running ActiveX controls or active scripting. Instructions on how to do that are contained within the advisory.

Users in the UK’s National Health Service have been warned not to use IE6, but the UK government overall has not told people to shun it, although the French government issued a warning about IE6, as did the German government.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

US Finalises Billions In Awards To Samsung, Texas Instruments

US finalises $4.7bn award to Samsung Electronics, $1.6bn to Texas Instruments to boost domestic chip…

1 hour ago

OpenAI Starts Testing New ‘Reasoning’ AI Model

OpenAI begins safety testing of new model o3 that uses 'reasoning' process to ensure reliability…

2 hours ago

US ‘Adding Sophgo’ To Blacklist Over Link To Huawei AI Chip

US Commerce Department reportedly adding China's Sophgo to trade blacklist after TSMC-manufactured part found in…

2 hours ago

Amazon Workers Go On Strike Across US

Amazon staff in seven cities across US go on strike after company fails to negotiate,…

3 hours ago

Senators Ask Biden To Extend TikTok Ban Deadline

Two US senators ask president Joe Biden to delay TikTok ban by 90 days after…

3 hours ago

Journalism Group Calls On Apple To Remove AI Feature

Reporters Without Borders calls on Apple to remove AI notification summaries feature after it generates…

4 hours ago