Well, here we are again. A few weeks after Microsoft pushed out a critical patch to all versions of Internet Explorer, Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies provided details of another attack against the beleaguered browser. This time, an attacker “may be able to access files with an already known file name and location.” If that sounds a bit scary, it should. It falls into a class of attacks called “Local File Disclosure” and can be exploited by sending the victim to a malicious site at attempts to access files stored on your computer. The attacks leverage different design features of Internet Explorer that can be combined to do serious damage. Secunia has rated this as “Moderately critical” Read more
Much has been written about the recent hack targeting Google, but somewhat lost in the shuffle is that the attack specifically targets Internet Explorer 6 on Windows 2000 and Windows XP. Based on their analysis of the attack, Microsoft’s Security Research and Defense blog urges users to upgrade to a newer platform or enable DEP (only available on Windows XP Service Pack 2 or later).
In their blog post, Assessing risk of IE 0day vulnerability, Microsoft outlines the potential impact on the main OS and browser combinations.
|Windows 2000||Windows XP||Windows Vista||Windows 7|
|Internet Explorer 6||Exploitable||Exploitable (current exploit effective for code execution)||N/A
(Vista ships with IE7)
(Windows 7 ships with IE 8)
|Internet Explorer 7||N/A
(IE 7 will not install on Windows 2000)
|Potentially exploitable (current exploit does not currently work due to memory layout differences in IE 7)||IE Protected Mode prevents current exploit from working.||N/A
(Windows 7 ships with IE 8)
|Internet Explorer 8||N/A
(IE 8 will not install on Windows 2000)
|DEP enabled by default on XP SP3 prevents exploit from working.||IE Protected Mode + DEP enabled by default prevent exploit from working.||IE Protected Mode + DEP enabled by default prevent exploit from working.|
In spite of this, Microsoft still has no plans to drop support for IE6, leaving it up to the individual to upgrade if they desire. Because of this, there are still many major corporations that have not yet upgraded from this now ancient browser – IE 7 was released over 3 years ago.
Even though this event is likely to not change their behavior, if upgrading the operating system is not an option, they should at least consider deploying Firefox and the awesome extension IE Tab for those times when they just have to use Internet Explorer.
Also – Google doesn’t get a free pass here. How is it that the maker of the most secure browser still has workstations running IE6?
- You Can’t Afford a Data BreachMarch 26, 2020 - 1:48 pm
- A MESSAGE FROM EPC REGARDING COVID-19March 19, 2020 - 1:27 pm
- Continuing Our Western ExpansionMarch 3, 2020 - 10:44 am
- Is it Time to Upgrade Your Windows 7 Computer? (Yes.)December 5, 2019 - 8:21 am
- From Allentown to Bethlehem: Our New Pennsylvania Facility!August 28, 2019 - 10:52 am