Microsoft Issues New Security Advisory on IE Flaw

Microsoft issued a security advisory today for all supported versions of Internet Explorer.

The vulnerability is thought to be present on all IE versions, going all of the way back to IE 6 on Windows XP. Microsoft indicated in its Security Advisory 2887505 that it is investigating the flaw but is "aware of targeted attacks" specifically on IE 8 and IE 9. The company may issue a patch in the near future, but for now it is pointing IT pros to a "Fix it" workaround described in this Knowledge Base article. The workaround only applies to 32-bit versions of IE.

Attackers exploiting this remote code execution flaw have to first direct the user to a Web page with malicious code, either via an e-mail attachment or IM link. The exploit is based on how IE handles "an object in memory that has been deleted or has not been properly allocated," according to the security advisory. This flaw can lead to a corruption in memory that allows an attacker to execute code. If the attack is successful, the attacker can gain a user's rights on a machine. Microsoft advises that the threat can be lessened when fewer accounts are run with full administrative rights.

There are some built-in protections for those running IE on Windows Server, the advisory explained. Windows Server 2003 and newer versions of the server use an "enhanced security configuration" that "can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server."

Microsoft is also recommending the use of its Enhanced Mitigation Experience Toolkit (EMET), which protects against general exploit techniques. EMET is listed in the advisory as a secondary workaround to deal with this vulnerability. EMET 4.0 is recommended for protecting IE.

IT pros can also set local intranet and Internet security zones in IE to the "high" setting, which will block scripting and ActiveX controls. However, IE may not work well with some Web sites at that setting. Another approach is to configure IE to prompt the user before running scripts, but users could get prompted a lot at some sites. In specific cases, greater control can be had by adding trusted sites to the "trusted sites zone" in IE to avoid such issues.

The security advisory that was issued today comes on top of Microsoft's September security update, which was released last week. That release included "critical" and "moderate" fixes for 10 flaws in IE that could lead to remote code execution exploits.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.