Microsoft responds to Black Hat talk with IE bug advisory

By

View state flaw revealed.

Microsoft has disclosed that Internet Explorer (IE) suffers from an unpatched vulnerability that could lead to information exposure.

The bug, which affects machines running Windows XP or those that have disabled IE's Protected Mode, can allow an attacker to access files containing an already-known name and location, according to an advisory from Microsoft.

The software giant admitted to the vulnerability after researchers at Core Security Technologies, provider of penetration testing software, revealed the issue during a presentation this week at the Black Hat conference in Washington, D.C. The talk, entitled "Internet Explorer turns your personal computer into a public file server", was delivered by Core engineer Jorge Luis Alvarez Medina.

The flaw is caused by "content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites," the advisory said.

Microsoft says it is not aware of any active attacks. IE running on newer versions of Windows are not affected.

"Customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode, which protects from this issue," Jerry Bryant, senior security program manager at Microsoft, said in a blog post.

He encouraged customers to upgrade to IE 8.

Bryant did not say when customers should expect a patch. Microsoft's next round of fixes are due out next Tuesday.

"As with any update, we have to balance overall quality and ensure application compatibility before we release it," he said.

See original article on scmagazineus.com


Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

"Widespread data theft" hits Salesforce customers via third party

"Widespread data theft" hits Salesforce customers via third party

Attackers weaponise Linux file names as malware vectors

Attackers weaponise Linux file names as malware vectors

Home Affairs adds SecOps to new cyber risk overhaul

Home Affairs adds SecOps to new cyber risk overhaul

Travel eSIMs secretly route traffic over Chinese and undisclosed networks: study

Travel eSIMs secretly route traffic over Chinese and undisclosed networks: study

Log In

  |  Forgot your password?