Microsoft Issues New Security Advisory on IE Flaw

Microsoft issued a security advisory today for all supported versions of Internet Explorer.

The vulnerability is thought to be present on all IE versions, going all of the way back to IE 6 on Windows XP. Microsoft indicated in its Security Advisory 2887505 that it is investigating the flaw but is "aware of targeted attacks" specifically on IE 8 and IE 9. The company may issue a patch in the near future, but for now it is pointing IT pros to a "Fix it" workaround described in this Knowledge Base article. The workaround only applies to 32-bit versions of IE.

Attackers exploiting this remote code execution flaw have to first direct the user to a Web page with malicious code, either via an e-mail attachment or IM link. The exploit is based on how IE handles "an object in memory that has been deleted or has not been properly allocated," according to the security advisory. This flaw can lead to a corruption in memory that allows an attacker to execute code. If the attack is successful, the attacker can gain a user's rights on a machine. Microsoft advises that the threat can be lessened when fewer accounts are run with full administrative rights.

There are some built-in protections for those running IE on Windows Server, the advisory explained. Windows Server 2003 and newer versions of the server use an "enhanced security configuration" that "can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server."

Microsoft is also recommending the use of its Enhanced Mitigation Experience Toolkit (EMET), which protects against general exploit techniques. EMET is listed in the advisory as a secondary workaround to deal with this vulnerability. EMET 4.0 is recommended for protecting IE.

IT pros can also set local intranet and Internet security zones in IE to the "high" setting, which will block scripting and ActiveX controls. However, IE may not work well with some Web sites at that setting. Another approach is to configure IE to prompt the user before running scripts, but users could get prompted a lot at some sites. In specific cases, greater control can be had by adding trusted sites to the "trusted sites zone" in IE to avoid such issues.

The security advisory that was issued today comes on top of Microsoft's September security update, which was released last week. That release included "critical" and "moderate" fixes for 10 flaws in IE that could lead to remote code execution exploits.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus