Microsoft Admits New IE Vulnerability Could Open Files

Microsoft has warned users that a newly-discovered flaw in the Internet Explorer browser could give hackers access to their files. The attack is the second in a month, following one which Google claims was used by China to attack it.

No attacks have been reported using the new flaw, and Microsoft has advised on secuirity settings that will prevent it. It is not yet clear whether the company will fix the weakness with a special urgent patch, or in its normal update cycle.

The new vulnerability could allow an attacker to access files on a PC, as long as the attacker already knows the file name and location. It affects users with IE running on Windows XP, or using IE with Protected Mode disabled, according to a Microsoft security advisory.

Microsoft says the vulnerability is the result of content being forced to render incorrectly from local files in such a way that information may be exposed to malicious Websites.

“At this time, we are unaware of any attacks attempting to use this vulnerability,” the advisory says. “We will continue to monitor the threat environment and update this advisory if this situation changes.”

The affected versions are Internet Explorer 5.01 Service Pack 4 (SP 4) on Windows 2000 Service Pack 4; IE 6 SP 1 on Windows 2000 SP 4; and IE 6, 7 and 8 on supported versions of Windows XP SP 2, Windows XP SP 3 and Windows Server 2003 SP 2.

“Customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode, which protects from this issue,” blogged Jerry Bryant, senior security communications lead for the Microsoft Security Response Center. “Windows XP users, or users who have disabled Protected Mode, can help protect themselves by implementing Network Protocol Lockdown. We have created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems.”

A flaw in Microsoft’s Internet Explorer version 6 was used in attacks on Google which Google claims originated in China. Microsoft patched this weakness in an out-of-band update, after attack code was circulated.

For the new vulnerability,Microsoft suggests users set Internet and local intranet settings to High so there is a prompt before running ActiveX controls or active scripting. Instructions on how to do that are contained within the advisory.

Users in the UK’s National Health Service have been warned not to use IE6, but the UK government overall has not told people to shun it, although the French government issued a warning about IE6, as did the German government.