Microsoft has confirmed the presence of a zero-day vulnerability impacting Internet Explorer (IE) versions 6 and 7.
The software giant said in an advisory that the flaw "exists as a null pointer reference of Internet Explorer" and involves the way the browser handles cascading style sheets objects. Attackers may be able to execute code on victims' machines if they can persuade them to visit a malicious website.
In addition, cybercriminals can compromise trusted websites to perpetrate the attack, said Michael Sutton, vice president of security research at security firm Zscaler.
“Internet Explorer versions 6 and 7 account for approximately 41 percent of web browsers in use today, so this vulnerability will be an enticing one for attackers,” he said. “Attacks such as these are also prime candidates for targeting otherwise legitimate websites as an attack vector. The exploit can be triggered simply via HTML code, so attackers can inject code into websites with weak security protections.”
According to Symantec experts, reliable proof-of-concept code has yet to be published, but it is expected.
There have been no reports of in-the-wild exploits, according to the advisory. IE8 is not affected.
Microsoft listed a number of suggestions that users can take to reduce the possibility of being hit by an exploit. They include mitigating actions, such as running IE7 in "Protected Mode", and workarounds, including setting internet and intranet security zone settings to "high" before running ActiveX controls.
Company engineers are working on a patch, and plan to release it as sson as it is cleared for widespread distribution. Microsoft's next scheduled security update release is December 8, but the firm occasionally issues out-of-band fixes for emergency vulnerabilities.
"Together with our partners, we will continue to monitor the threat landscape and will take action against any websites that seek to exploit this vulnerability," Jerry Bryant, senior security program manager at Microsoft, said in a blog post.
See original article on scmagazineus.com
Microsoft preps patch for IE flaw
Users encouraged to apply workarounds.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
Partner Content
Australian organisations must act on security – or risk AI ambitions falling flat
.png&h=140&w=231&c=1&s=0)
Partner Content
AI and quantum computing widen the machine identity security gap
Partner Content
AI Supercharged: How Search is Powering the Future
Partner Content
What Embracing the AI Platform Shift Really Means
Sponsored Whitepapers
_page-0001.jpg&w=100&c=1&s=0)
Leverage Technologies: Industry-Tailored ERP Implementation for Growth and Compliance
.png&w=100&c=1&s=0)
Service Over Signatures: The Truth About No Lock-In IT
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
