IE7 security patch to be released today

 

Gallery

Posted on 17 Dec 2008 at 12:51

Microsoft is intending to release a patch to plug security vulnerabilities in Internet Explorer today. The news follows Microsoft's admission last week that there is a flaw in IE7 that could allow hackers to run malicious code which would activate applications designed to steal your passwords and personal details.

"We are actively investigating the vulnerability that these attacks attempt to exploit," said the company in a statement.

"We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

The company warned that attackers could host specially crafted websites or target user-generated websites to exploit the vulnerability through IE7. They will entice users to view the page, but would have no way to force users to visit these websites. Instead they would have to convince users to visit the site, by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the website.

It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems, Microsoft warned.

"Based on our investigation, setting the internet zone security setting to High will protect users from known attacks," advised Microsoft.

However, for the most effective protection, customers should evaluate a combination of using the High security setting in conjunction with one of the following workarounds:

- Disable XML Island functionality
- Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL
- Disable Row Position functionality of OLEDB32.dll
- Unregister OLEDB32.dll
- Use ACL to disable OLEDB32.dll

For additional workaround details, see Microsoft's workaround help.

Author: Dawinderpal Sahota