Microsoft yesterday issued a fix to a remote code execution vulnerability affecting Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8. In an update now to its security advisory, Microsoft affirms that it has added a link to Microsoft Fix it solution, “MSHTML Shim Workaround” that prevents exploitation of this issue.
As per our earlier reports, Microsoft had confirmed that it was investigating a loophole affecting Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8. What was worrying about the vulnerability was that once the attacker managed to successfully crack the vulnerability, he could obtain for himself the same user rights as the current user. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft's security advisory revealed further.
The attacker could even go ahead and host malicious websites and then 'convince a user to view the website'. The vulnerability in question was not been found to affect Internet Explorer 9 and Internet Explorer 10. Microsoft revealed further that the vulnerability was in the way IE got through an object in memory that had been deleted or 'has not been properly allocated'.
Microsoft explained that in a web-based attack scenario, an attacker could host a website with the webpage used to exploit this loophole. However, even the advisory agreed that there is no way that an attacker could force a user to access these malicious websites. What he could do instead, was convince them and this he could do by getting them to click links in an email or IMs.
Microsoft, by way of its security advisory had assured that, “We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. In addition, we are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.”
Earlier this month, a security loophole discovered in Internet Explorer was found to be potent enough to track a user's cursor movements, even if their window was inactive, minimised or unfocused. Naked Security reported that the vulnerability was first brought to light by spider.io, vendor of a hosted platform that the company says allows users to distinguish between human website visitors and bots in real time. Interestingly, Spider.io informed the existence of the flaw to Microsoft in October, while adding that the IE version 6-10 were affected. While Microsoft Security Research Center admitted to there being a flaw, it informed spider.io that it has “no immediate plans” to patch it in existing browser versions; it was then that it revealed the flaw.
The security loophole essentially allows attackers to track an IE user's mouse movements, even if they haven't installed any software as such. All that attackers have to do is buy a display ad slot on any website. Spider.io adds, “This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector.”