Microsoft issues Internet Explorer zero-day warning
Internet Explorer's handling of CSS has been found to contain a remote code execution vulnerability.
The vulnerability, discussed in Microsoft's Security Advisory 2488013, relates to Internet Explorer's handling of malicious Cascading Style Sheet (CSS) code, and can be exploited to overwrite uninitialised memory and execute arbitrary code.
The flaw can be exploited to remotely run code under the account of a logged in user by simply visiting a CSS website that contains malicious code. It's a serious issue, but it's one that Microsoft believes isn't currently being exploited by ne'er-do-wells.
There is no known fix for the flaw at present, although Microsoft reports that it's 'investigating new, public reports of a vulnerability in all supported versions of Internet Explorer, and on completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.'
In the meantime, the company advises users to run Internet Explorer in Protected Mode and ensure that their main user account is not configured as a system administrator. This will limit the rights available to malicious code executed from within the browser.
Although Microsoft claims to be 'unaware of any active exploitation of this vulnerability,' it does confirm that the flaw is public knowledge. This potentially means that attackers could quickly pick up on it and start to exploit the flaw before Microsoft fixes it.
Are you disappointed to see yet another security hole appear in Internet Explorer, or just pleased that Microsoft is looking into the problem as soon as public reports surfaced? Share your thoughts over in the forums.
Previous Article
24 Comments
Discuss in the forums Replyit's also ironic that current iterations of IE use such an old version of CSS that most people who fiddle with it are pretty much moving on to CSS3 =X
roughly 55 % of visitors to my site, and alarmingly a high percentage are from the UK.
Opera all the way for me.
1500 workstations at my workplace, for some god-forbidden reason our admin seem to think IE 6 is great choice of a web browser.
anyway, no browser is totaly secure, so you cant call people stupid for using ie.
Bit Tech do... I'm viewing the website in IE. Gosh some people .......
check this 2008 article it gives an informed view, it is however now outdated, but still to a point applies.
You can completely disable IE on win 7. Maybe not what you're after but it's a step in the right direction.
The biggest annoyance for me at the moment is when you click on new tab and try to open a page, you have to leave an age it seems before opening up a page on it, otherwise it always opens over the other tab you have open.
what i find interesting is CSS exploits happening in google search for images as one of my customers was and most likely more, when i clicked on the search result opens the pages then runs an CSS exploit and trys to install fake av software in the background (opera just gets some error when it trys to run it bad code)
Opera's great but it's on version 11.00 at the minute, so will wait for 11.01 before returning to using it for everything as they always find and thankfully fix bugs in new builds quickly.
I only use IE for Youtube vids and other non-essentials now, but we'll see what v9 brings - not that I'd stop using FF for all the general purpose stuff.
Haha, NO!
My neighbour has just bought a Chrysler Voyager MPV. 40mph collision with a wall = fatal chest injury & lost limns for the driver according to ncap, & the older model which still sold reasonably well it was driver decapitation at 30mph. If it was all about safety first, there would be a lot less brand diversity on the road network.
More accurate, in any event, to compare to our choice of security systems, but what thought to you give to the brand or type of lock on your front door? The majority of users are suffering because of the popularity of their choice, not because it is specifically so much more vulnerable than any other out there.
The difference here is they are getting "functionality" of a people carrier. I dont see any "real" functionality of IE over any other browser. fair enough not everyone goes for safest car, but its usually the something-est. most IE users are just going with whats already there. Either way, any bad choice is usually due to ignorance, car or computer.
it's also about safe browsing habits, be aware of the websites your visiting.
FF 3-3.6 are a PoS
Chrome is a little behind the Chromium curve.
Why oh why do companies force us to use PoS? Garmin being one that makes you use an IE plugin to update your device.
Citibank being another that forces people to use IE + Acrobat if you want to download a statement double PoS, WTF!
It is somewhat only because fewer people use it and therefore fewer black hats look for holes in it. Also, It's open source, so lots of people are looking at the code. i recall an incident a couple of years ago where a serious security problem was found in FF and the fix was out within 9 hours.
This.
I don't run any AV and I know a lot of people on here don't either.
It's been shown that it doesn't matter what browser you use or what AV you have, it all comes down to browsing habits.