Microsoft Admits IE Still Flawed
Fresh off its widest-ranging vulnerability fix in years, it's turning out that Microsoft may have missed one.
Barely a day after Microsoft updated its Internet Explorer browser to patch no less than four separate vulnerabilities, a new flaw has emerged that could allow remote code execution.
In a public advisory issued late Wednesday, Microsoft (NASDAQ: MSFT) confirmed that it is investigating public reports of attacks take advantage of the new IE vulnerability, but added that it's thus far seen only what it called "limited attacks".
It did not elaborate on the attacks or on the exact nature of the vulnerability.
Security research firm eEye, however, identified the new vulnerability as an XML Zero-Day (define) flaw. Likewise, Symantec researcher Elia Florio pinpointed the problem as affecting the XML parsing engine in IE7.
"The vulnerability depends on how certain elements of HTML pages are terminated and therefore could potentially affect not only XML, but also other objects handled by the browser," Floria wrote in a Symantec security forum posting.
In its advisory, Microsoft noted that Windows Visa users are at less risk if they run IE7 in Protected Mode, which isolates the browser from the rest of the operating system with different user privileges.
Microsoft also suggests workarounds in its advisory to help users protect themselves against the new issues. They include setting the Internet and Local security zone settings to "High," which will force the browser to prompt users before it runs any ActiveX controls from a Web site.