Two security researchers believe that it is technically possible to exploit the critical flaw in its Internet Explorer versions 7 and 8. Microsoft, which says that only IE6 on Windows XP are affected, issue a patch off cycle.
Bad news for Microsoft.
Analysis of attacks against Google and 33 other companies had identified a critical flaw unpatched Internet Explorer.
According to initial reports Microsoft, only users of version 6 browser and Windows XP were actually incurred. The DEP (Data Execution Prevention) Integrated IE7 and IE8 to prevent exploitation of the vulnerability 0-day.
Finally, it seems that the risk is greater. A security researcher Dino Dai Zovi, has indeed developed a code PoC (proof of concept) to compromise a computer running Internet Explorer 7 on Vista and XP. In message posted on Twitter Dino Dai Zovi believes that the protection provided by the DEP can be circumvented.
DEP protection of IE7 and 8 could be circumvented
On The RegisterDino Dai Zovi nevertheless considers the recommendations Microsoft (DEP, ASLR, protected mode, …) provide a significant level of protection against targeted attacks. The PoC was developed that allows for the time being mainly sensitive to read files but not change system settings.
The researcher said, however, be close to having to perform more powerful attacks, including exploiting the critical flaw in Internet Explorer 8. The analyst firm vulnerabilities Vupen Security has also issued a security bulletin, brief (presumably for security reasons), underlining the opportunity to execute code remotely on a computer with Internet Explorer 8.
Asked by CNET NewsMicrosoft says it is studying the evidence provided by and Dino Dai Zovi Vupen Security and the ability for an attacker DEP bypass protection Internet Explorer.
Security alerts encourage the download of Firefox and Opera
For the moment, Microsoft recommends always users of IE6 and Windows XP to migrate to newer versions of its browser to its Windows operating system. Security Agencies French, German and Australian now recommend them to adopt an alternative browser, a position that the Redmond company qualifies as excessive.
However, Microsoft takes the threat seriously and has published a note on his blog Security announced that it would broadcast a patch outside of its usual cycle. The critical flaw in Internet Explorer and should be corrected before the patch day of February.
Microsoft tries to reassure users of its applications. His image already tarnished by several incidents of security risk to suffer because of the disclosure of this new vulnerability and its media coverage in newspapers and television (A prime media).
The alternative browsers, such Firefox and Opera, Stand to benefit directly from this bad publicity. According Statistics obtained by The Register, the number of downloads of Opera and Firefox have increased significantly in recent days.