Barely two months after the suspected Chinese cyber attacks on Google which prompted some Governments to issue IE warnings, Microsoft’s browser has been hit by another security exploit. According to the Microsoft report:
The main impact of the vulnerability is remote code execution.
The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
At this time, we are aware of targeted attacks attempting to use this vulnerability.
The exploit targets IE6 and IE7. IE8 and IE5 on Windows 2000 are not known to be affected, but security company Sophos has graded the threat level as “critical”.
Browser exploits are never good news for a vendor, but the timing of this discovery is particularly problematic for Microsoft. The company has embarked on a huge IE publicity campaign to counteract user migration following the introduction of the EU browser choice screen.
Looking on the positive side, the exploit may persuade some users to upgrade to IE8. Although few users know which version they’re running — they could abandon the browser altogether. However, it’s more likely that most IE users will carry on surfing and are totally oblivious to any problems!
If you depend on IE6 or 7 you can always disable scripting. Again.
Craig BucklerCraig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
