Security hole in Internet Explorer gets exploited

In Internet Explorer (nearly all versions except IE 5.01 on all supported Windows operating systems) there is a vulnerability which Microsoft issued a warning about. Attackers actively abuse the security hole to smuggle malware on PCs. To infect a machine, following a link to a specially crafted web site suffices.

It seems that this security vulnerability was used to attack Google in China. This is likely as Microsoft lists Google as contributor in the advisory. The problem exists as “in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. ”

According to the advisory, attacks may be mitigated by enabling “Protected Mode” of Internet Explorer in Windows Vista and later operating systems. The current exploits seem to use JavaScript, so disabling scripting might help; also enabling DEP complicates an attack. Microsoft also advises to install an Antimalware solution. The company currently is working on a patch, though it remains unclear when it will be ready.

It seems like a good idea to use alternative Web browsers like Firefox, Opera, Chrome or Safari in the meantime.

Dirk Knop
Technical Editor