Microsoft Offers IE Security Workaround, But No Fix

A zero-day flaw in Internet Explorer 7 reported last week has sparked increased hacker activity, and now the attacks involve most versions of Microsoft's Internet browser.

A zero-day flaw in Internet Explorer 7 reported last week has sparked increased hacker activity, and now the attacks involve most versions of Microsoft's Internet browser. Still, Microsoft does not plan to issue a fix for the exploit until sometime next year.

The attack code originated on Chinese servers and initially only affected IE7, but it emerged that IE5.01, IE6, IE7 and IE8 Beta 2, have also been exploited.

On Monday, Redmond continued to investigate what it called "huge increases" in attacks exploiting the "critical" vulnerability in Internet Explorer. A blog post on Saturday explained that some of the attacks originated from compromised porn sites.

Microsoft is stressing that avoiding questionable Web destinations may not be an adequate defense in itself.

"This class of attack, along with other more classical forms of website intrusion, mean[s] that even trusted sites can end up serving malicious content, causing you[r computer] to get infected. Other researchers confirmed that attacks were increasingly coming from compromised Web sites," the blog said.

Research by other companies confirmed an uptick in incursions using IE as the vector. Antivirus software maker Trend Micro Inc. issued a statement on Monday indicating that as many as 10,000 sites have been compromised by this IE browser flaw over a week's time.

In response, Microsoft added a third addendum to its security advisory over the weekend. The addendum lists possible workarounds and solutions to serve as stopgap measures until a comprehensive IE fix for this exploit becomes available in 2009.

The attacks come as Redmond fights for increased browser market share. A recent survey found that IE8 was the safest, but least popular, Web browser in a beta comparison with Mozilla Firefox and Google Chrome.

Users should turn to other browsers besides IE until this problem can be fixed, according to Wolfgang Kandek, chief technology officer of security firm Qualys. However, Kandek contends that no browser is safe unless patched in real time or patched frequently, a technique known as "fast patching."

"Recent research has shown that Firefox fast patching offers significant advantages over IE, Opera and others," he said. "Opera has added fast patching in their newest release and Google Chrome has had it from the get-go."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Industrial Control System Honeypot Illustrates Bad Security Practices

    Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

  • Ransomware: What It Means for Your Database Servers

    Ransomware affects databases in very specific ways. Joey describes the mechanics of a SQL Server ransomware attack, what DBAs can do to protect their systems, and what security measures they should be advocating for.

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.