Printed from http://www.electronista.com

IE7 zero-day hole exposed; experts urge alternatives

updated 03:45 pm EST, Tue December 16, 2008

IE7 Zero-Day Exploit

A new and previously undiscovered vulnerability in Internet Explorer 7 has triggered warnings to at least temporarily avoid the browser until it can be fixed. The exploit, which takes advantage of the browser's data binding feature to create a memory hole, is unique to Microsoft's code and potentially dangerous due to its usability over the web. A maliciously formed website can use the exploit to steal private data or otherwise compromise the system; some benign websites have been turned hostile using the exploit and other vulnerabilities, the company says.

Over 10,000 sites have already been launched or corrupted with the security gap in mind, according to Trend Micro senior security advisor Rick Ferguson, who is among the early group of experts suggesting that users run an alternative browser until a patch is ready.

"If users can find an alternative browser, then that's good mitigation against the threat," he says.

Notably, Apple Safari, Google Chrome, Mozilla Firefox, and Opera's self-titled browser all avoid the exploit, which also affects earlier versions of Internet Explorer but is limited to systems running Windows XP, Server 2003/2008 and Vista.

Microsoft itself tries to downplay the impact and suggests the damage is relatively limited. The company's UK Windows chief John Currant argues that the exploit only affects 0.2 percent of websites at present and that switching to a competitor's browser would be a hasty reaction given the rarity of the attack.

"I cannot recommend people switch due to this one flaw," he contends.

Regardless, the company has no estimates for when it will provide the necessary fix and instead suggests that Windows XP and Vista owners run Internet Explorer 7 in Protected Mode, which sandboxes it against these types of exploits. Both Windows Server variants also run by default in an enhanced security mode that should prevent the code from running arbitrarily.



By Electronista Staff
toggle

Comments

  1. Guest

    Fresh-Faced Recruit

    Joined: Nov 1999

    0

    Another one?

    Gee, yet another Explorer hole that MS is downplaying. Why don't they just throw this POS, that is Internet Exploder, away and admit they're just plain asses when it comes to writing anything that doesn't have thousands of bugs in it?

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -5

    well

    If you're dumb enough to head off to nefarious and p*** web sites, you deserve to be infected/affected.

  1. cyn1c

    Fresh-Faced Recruit

    Joined: Oct 2008

    +6

    Really?

    Way to be a d***. This exploit can affect ANY website that has been hijacked. No one deserves to be infected with a virus just because they visited a website, regardless of their level internet savvy.

  1. Alfiejr

    Fresh-Faced Recruit

    Joined: Aug 2008

    +3

    Total Piece of c***

    IE is a dog, pure and simple. it's always been vulnerable to exploits, and it always will be. no matter how many patches. this exploit is really dangerous. but the underlying code of the whole darn program is hopeless, because the legacy code of Windows/NT is hopeless, security wise. until MS writes a whole new kernel (and browser) from the ground up, it's going to be playing whack-a-virus-mole for the rest of eternity.

  1. ehoppe

    Fresh-Faced Recruit

    Joined: Jul 2008

    +2

    Confused

    You know, I don't understand how browsers that expose their users to significant risk retain such large market shares. I've been using Opera for a long time and I have yet to question my security while browsing.

  1. ehoppe

    Fresh-Faced Recruit

    Joined: Jul 2008

    0

    Confused

    You know, I don't understand how browsers that expose their users to significant risk retain such large market shares. I've been using Opera for a long time and I have yet to question my security while browsing.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lacking ...

Sponsor

toggle

Most Commented

 
toggle

Popular News