Microsoft confirmed the existence of an unpatched vulnerability in Windows. Internet Explorer vulnerability potentially allows an attacker to execute code remotely via the memory used by a CSS stylesheet. Windows XP, Windows Vista, Windows 7, Windows Server 2003 and 2008 are affected.
Microsoft confirmed the security flaw in late December. On Tuesday, it updated its advisory to reflect reports of limited attacks attempting to exploit vulnerability in all supported versions of Internet Explorer.
If successful, attacks can infect computers victims, and introduce malware to rob the machines, extracting information or enroll in botnet criminals. The vulnerability has been identified in the Graphics Rendering Engine in Windows, and especially in how it manages the thumbnails of files. In particular, it can be activated when the user views the file manager with a Windows folder with a sticker diverted, or when opening Office documents or view some. Microsoft, which acknowledged the bug in a security advisory, said that only Windows XP, Vista, Server 2003 and Server 2008 are affected by this vulnerability, but not the latest operating system Windows 7 and Server 2008 R2.
To reduce risk, Microsoft recommends in particular enabling Protected Mode Internet Explorer on Vista and later versions of Windows. Successful exploitation of the flaw is still possible, but the attacker will then have limited rights on the system vulnerable.
In addition to these configuration changes, Microsoft has developed an interim fix, a FixIt. On its website, the publisher said that the program adds a check to see if a style sheet cascade is about to be loaded recursively. If this is the case, the solution FixIt cancels the loading of the cascading style sheet. ”
The solution proposed by Microsoft is considered original since it relies on a utility (Microsoft Application Compatibility Toolkit) designed in principle to address application compatibility issues.
The real fix for the vulnerability in Internet Explorer should not be released until at best the next Patch Tuesday is to say, February 8. Indeed, patches of January have already been issued by Microsoft, and they do not take into account the latest Windows and IE vulnerabilities disclosed to the editor by researchers.
While Microsoft disclaims whether active attacks are conducted to take advantage of this loophole, that’s one more bug to add to a growing list of unpatched vulnerabilities, said Andrew Storms, director of security at nCircle Security. “There is already this huge bug” zero-day Internet Explorer “over this bug in WMI Active X on which Secunia has issued a warning on December 22. And now this bug is in image management. That’s a good year ahead for Microsoft … Two weeks ago, Microsoft confirmed that indeed a critical bug in IE. Michal Zalewski engineer in charge of security at Google say they have evidence that Chinese hackers were attacking another flaw in the same browser.