Integrations Journal

 

 



Vulnerability In Internet Explorer Could Allow Remote Code Execution


Written by  Raja Rao | 01 January 2013
E-mail PDF

zero day effectSoon after finding public reports on zero day attacks  via Internet Explore 6, Internet Explorer 7, and Internet Explorer 8, back in September, 2012, Microsoft has launched its own investigation on strength of such reports. There was a no time frame set for resolutions at the time of knowing such attacks. However the investigation seems to have made progress with some definite understanding. Well firstly Microsoft confirms that IE 6, IE 7, IE 8 are vulnerable and allows remote code execution.

According to a note from Microsoft, "The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website".

The vulnerability itself gives the attacker the user rights as the current logged in user and in a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability.

While the company is working on the fix the alternative path is to apply the Microsoft Fix it solution, "MSHTML Shim Workaround," which will prevent the exploitation of this issue. Further fixes are promised upon successful completion of the investigation and fixes will be released via either the monthly security update release or an out of cycle security update. Apart from this the manual mitigation is suggested to run the IE browser in a high security mode to block or notify the running of ActiveX controls and unwanted scripting.

IE 9 and IE 10 are understood to be safer versions and not impacted due to the issue. However, with almost 3 months passed since the identification, guess this can no longer be called as a "Zero Day" attack and hopefully the company will put the security vulnerabilities to bed soon enough before its browser market share starts to plummet.

Raja Rao

Raja Rao

RajaRao is our Cloud Journalist writing for ToolsJournal on Cloud Tools, Latest updates, Cloud Quick Lists and more. He has done his Bachelors of Engineering in Civil and has been in IT for over 15 years with good expertise on CRM, Peoplesoft, SAP, Microsoft and .Net technologies. Raja comes with fantastic blend of Technical, Solutions and Delivery expertise. Loving the concept of ToolsJournal he has joined us full time and has been tremendous help to take this portal forward. 

You can reach Raja at raja@toolsjournal.com 

blog comments powered by Disqus