Microsoft warned yesterday that a flaw in Internet Explorer gives attackers access to files stored on a PC.
Use Protected Mode, Internet Explorer users warned
Microsoft said that the flaw in its Internet Explorer web browser gives attackers access to files stored on a PC only under certain conditions, however.
"Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location," Microsoft said in a security advisory.
The vulnerability requires that an attacker knows the name of the file they want to access, it said.
The disclosure is the latest security problem to affect IE. Last month, an undisclosed vulnerability in IE 6 was used in attacks that targeted more than 20 US companies, including Google, which blamed China. The vulnerability has since been fixed by Microsoft.
The attacks led Google to announce last week that it would phase out support for IE 6, starting with Google Apps and Google Sites in March. (See: Google and DoH drop support for IE6.)
The IE vulnerability disclosed on Wednesday, which is caused by incorrectly rendering local files in the browser, affects several versions, including Internet Explorer 5.01 and IE 6 on Windows 2000; IE 6 on Windows 2000 Service Pack 4; and IE6, IE 7, and IE 8 on Windows XP and Windows Server 2003, Microsoft said.
"Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008," it said.
Microsoft hasn't seen any attacks that exploit the flaw and has yet to decide whether to repair the flaw through its monthly security patch release cycle or an urgent, out-of-cycle update.
Related articles:
Comments
enough said: Toyota recalled thousands of cars this week at a cost of millions - it seems there was a bug in theirbraking systemthey will of course be compensating all drivers for wasting their time and money on the faulty productso anyone else think it about time microcrippleware was developed by someone remotely competent to do so after all these yearsor perhaps they should be forced to pay for their incessant inneficiencies and scre-ups and pay dearlyIMO its more than time
MarkyBhoy said: A clear example why everyone should upgrade to Windows 7 and always use the most up to date IE Firefox has problems as well and is not as good as IE in quite a few instances All software is vulnerable especially older versionsmove with the times
Matt Egan, editor, PC Advisor said: continuesFinally IE8 replaced IE6 as the worlds most popular web browser only this week so I think it is fair for us to warn the millions of IE6 users the world over about potential vulnerabilities Not least because as of this minute 7 of PC Advisor users are browsing the site using IE6 which equates to roughly 112000 people
Matt Egan, editor, PC Advisor said: Cyteck Id love to know where this story is inaccurate and Id draw your attention to this quoteIf a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location I quote of course Microsoft If your IE browser is not in Protected Mode you are vulnerable to this hack This doesnt mean it is likely you will be attacked but I think it is PC Advisors job to inform people of this Read the story again perhaps via the reprint in the Washington Post and youll see this does affect all flavours of Internet Explorer but IE8 on Vista and Windows 7 has Protected Mode enabled by default
Cyteck said: I have no problem with PC advisor writing articles on MS vulnerabilities to inform computer users when there is a real problem BUT what I do have a difficulty with is when such articles verge on scare mongering amp when the facts are just plain WRONGThese recent vulnerabilities DONT apply to ALL versions of Internet Explorer they DONT included IE8 on windows 7 for example or windows vista with IE8
Yimbo said: Surely ANY security flaw should be fixed ASAP Higyh time MS made up its mind and issued a repair patch
Alex said: So would it be wise to tell the masses how to activate safe mode or check that it is on
Cyteck said: This is NOT 100 accurate story and very miss leading a Microsoft themselves have already released a security patch which fixes the vulnerability it was released last week in fact b It doesnt affect ALL versions of IE if you had read Microsofts own security advisory for this month you would know the vulnerability applies to older earlier versions of internet explorer specifically IE6 amp IE7 on windows 2000 SP4 and windows XP SP1 mostly c The MS advisory says DEP data execution prevention was enabled on XP SP2 Vista amp win7 so the OS is unlikely to be affected by the same IE exploit d MS released a patch to fix further known vulnerabilities
swarfendor437 said: Clearly if this is the case and hackers know the location of an important system file which will be in a default location its either bye bye system or become another bot Users should switch to Opera or Firefox at their earliest convenience