Microsoft Issues Workaround for IE 6 and 7 Flaw

Microsoft published a workaround for an in-the-wild vulnerability in Internet Explorer 6 and 7, described last week.

The vulnerability, which doesn't affect IE 8, was first disclosed in a March 9 security advisory, which suggested that the bug could enable remote code execution-type exploits. Microsoft is considering releasing an out-of-band fix. On Friday, the company added a workaround to the advisory.

According to Redmond, IT administrators can leverage the workaround by "disabling the peer factory class through the modification of a registry key." To simplify matters, Microsoft pointed IT administrators to a Microsoft Fix It link that the company says will automate the workaround for Windows XP and Windows Server 2003 customers.

In an e-mailed statement, Microsoft Security Response Center spokesman Jerry Bryant said that his group is "working hard to produce an update which is currently in the testing phase."

Microsoft's continued testing of the vulnerability is "a critical and time-intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows," Bryant said.

He also warned that customers should test the workaround "thoroughly before deploying as certain functionality that depends on the peer factory class...may be affected." Such functions include printing a document from a Web page using IE or saving a Web page file during an IE session. Those two functions in particular, according to Bryant, may be affected by the installation of the workaround.

Andrew Storms, director of security at nCircle, believes that much like the IE zero-day bug in January, which received a lot of press because of its involvement in the "Aurora" exploit that hit Google, this bug will get what he called swift "mitigation assistance."

"The good news is that, at this time, IE 8 is not affected," Storms said. "There's no doubt that this new bug will be fodder for the ongoing security discussion that is a key part of the browser wars."

Bryant didn't specify if or when Microsoft's investigation might yield an out-of-band update. "We never rule out the possibility of an out-of-band update," he said regarding this IE bug.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Secured-Core PCs Promise To Stop Malware at the Firmware Level

    Microsoft and its hardware partners recently described new "Secured-core" PCs, which add protections against firmware-based attacks.

  • How To Ransomware-Proof Your Backups: 4 Key Best Practices

    Backups are the only guaranteed way to save your data after a ransomware attack. Here's how to make sure your backup strategy has ransomware mitigation built right in.

  • Microsoft Buys Mover To Aid Microsoft 365 Shifts

    Microsoft announced on Monday that it bought Mover to help organizations migrate data and shift to using Microsoft 365 services.

  • Microsoft Explains Windows 7 Extended Security Updates Setup Process

    Microsoft this week described installation instructions for volume licensing users of Windows 7 Service Pack 1 to get Extended Security Updates (ESU) activated on PCs.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.