Microsoft warns of IE bug on Windows XP
Internet Explorer continues to be a target of unpatched exploits as Microsoft released yet another security advisory for IE on Wednesday, mostly applying to Windows XP users.
According to the advisory, the software giant is investigating a new publicly reported bug affecting IE versions 5 to 8 on Windows XP and Windows Server 2003 Service Pack 2. The fix applies to IE browsers that aren't configured by default to run in "protected mode" or that have that function turned off.
Microsoft's advisory also applies to IE 5.01 SP4 on Windows 2000 SP4, as well as to IE 6 SP1 on Windows 2000 SP4.
This vulnerability typically doesn't apply when running IE on Windows Vista or Windows 7 because those operating systems use protected mode by default, according to a Microsoft blog. The blog noted that Microsoft has already issued a "Fix it" automated patch to help individual users enable protected mode on XP systems.
"Windows XP users, or users who have disabled Protected Mode, can help protect themselves by implementing Network Protocol Lockdown," the blog explains. "We have created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems."
The bug in question would still require that users be directed to a malicious Web site in order for the exploit to happen. A hacker could gain the same local user rights as the IE user if an attack is carried out successfully. Limiting user rights on the system thus can be a helpful way to lessen an attack's impact.
Redmond may release a patch for this bug in its monthly security update, coming next Tuesday, or issue an out-of-band patch. Microsoft already issued an out-of-band fix for IE in January to address a remote code execution bug that led to attacks on Google and other companies.
Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.