Friday, 12 December 2008, 15:01
TO COMBAT a recent zero-day flaw in Internet Explorer, Microsoft has decided to release a security advisory to protect its vulnerable users.
News of the flaw surfaced a couple of days ago, when it was originally assumed the problem was being caused by XML processing. Reports also indicated the flaw was unique to IE 7, something which Microsoft has since updated to included IE6 and IE 5.01.
In fact, rather than the problem simply affecting the XML parsing engine of IE 7, it’s more directly linked to data binding and the library MSHTML.DLL. And it affects IE on several Windows platforms, including Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Windows Vista, Windows Vista SP1 and Windows Server 2008.
The Vole is still furrowing its furry brow about trying to get to the bottom of the issue, but has, in the meanwhile, drawn up some tips for users to try and avoid getting attacked while they wait for a patch.
The Redmond Giant has recommended all IE users have a fumble with their Internet and local intranet security settings, ensuring that they are set to ‘High’ so that IE will prompt before running any ActiveX controls or active scripting.
Additionally, Microsoft is recommending that active scripting be disabled altogether in the Internet and local intranet security zone and that DEP (Data Execution Prevention) should be enabled.
But Internet security blog, Secunia, having tested the flaw thoroughly, reckons that setting the security level to ‘High’ for the Internet security zone or disabling Active Scripting won’t necessarily ensure complete protection, claiming that it is still possible to trigger the vulnerability, despite making that harder for attackers to do.
Now, far be it from us to try and improve on Microsoft’s advice, but shurely, if the preventative measures recommended by Microsoft aren’t going to protect users 100 per cent anyway, and are a hassle, why not just switch to Firefox to avoid these Volish vulnerabilities altogether and be done with it? µ