Microsoft is in the news again today with security issues. Vupen Security has confirmed the Internet Explorer bug that was publicly reported on the first day of the year by security engineer Michal Zalewski. Vupen rates the bug as critical and confirmed it on IE8 on Windows XP SP3. But IE on Vista and Windows 7 as well as Server 2003 and Server 2008 are also vulnerable.
Microsoft has previously said it is in investigating and has issued as security that a vulnerability in Internet Explorer 6, 7 and 8 could allow remote code execution. It has not yet released a patch.
Microsoft has said that the vulnerability relates to uninitialised memory during a CSS function within the browser that is vulnerable to ‘drive by’ web-based attacks. The memory could be leveraged if the browser hits on an infected webpage which could allow an attacker to gain remote control with the same user rights as the legitimate local user.
It notes that the risk can be mitigated in accounts with fewer user rights than those who operate with administrative user rights. Furthermore, it suggests using IE in protected or restricted mode with security set to high for the internet zone.
The IE bug has created some controversy with claims and counter-claims about the extent of the risk, the timelines of events regarding when Microsoft became aware of the problem and Zalewski’s decision to go public about it.
And the problem goes back some time with Zalewski first reporting the vulnerability in 2008, which was investigated and patched in 2009 by Microsoft. An updated detection tool finds more problems in 2010 that Zalewski reported to the company and it investigated. It issued the first security alert in late December that was then revised at the end of the month.
Security experts at the company said they could not replicate all instances of the crashes with an earlier version of the fuzzing or diction tool. Unsatisfied that Microsoft had not responded by the report and believing hackers were looking for information, Zalewski reports on the bug.