Microsoft confirms newest IE bug went unpatched yesterday

Microsoft said it's investigating reports of a new unpatched vulnerability in Internet Explorer.

Microsoft today said it's investigating reports of a new unpatched vulnerability in Internet Explorer (IE) that did not get patched in yesterday's massive update.

Other researchers, meanwhile, said that the timing of the attacks, which have already started, was not coincidental.

"The updates Microsoft released yesterday do not address this possible vulnerability," a Microsoft spokesman said today in an e-mail reply to questions, "but I can tell you that Microsoft is investigating these new public claims of a possible vulnerability in Internet Explorer."

Exploit code, which first surfaced in China, is actively seeking out victims, according to security researchers there and in the US. Those researchers have found attack code on multiple malicious domains and servers. Elsewhere today, an exploit was posted to the milw0rm.com site, a popular destination for public posting.

Symantec echoed Microsoft today, confirming that the flaw was not fixed by Tuesday's record-setting update, which included four patches, all judged "critical," for IE.

"The attack works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches," said Symantec researcher Elia Florio in an entry to the company's vulnerability blog. "Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit, which seems to target Internet Explorer 7 on Windows XP and 2003 systems."

There is some minor disagreement among researchers about the underlying bug. HD Moore, a noted vulnerability researcher and the labs director at BreakingPoint Systems, a Texas-based network test company, said his analysis points to a flaw in how IE handles the HTML "span" tag.

Others, however, said that the vulnerability is broader than that. "It's a problem in the .dll that handles the rendering of multiple types of HTML content in IE," said Ben Greenbaum, a senior manager in Symantec's security response group. "But the bug is triggered by the span tag, so it would be accurate to say it's a combination of both of those sources."

Greenbaum said Symantec has monitored attacks, but downplayed the threat for now. "Even in those regions [China and Asia], we're not seeing very high amounts of attacks," he said. "And in our own lab tests, the exploit is not successful against every machine. It's not all that reliable."

He guessed that the current attack code works, at best, a third of the time, but is most likely even less reliable than that. "Only a small portion of these attacks will be successful."

Symantec has not yet determined whether other versions of Microsoft's browser contain the same vulnerability; attack code in use now, however, works only against IE7.

Both Greenbaum and Moore agreed that what sets the bug apart is the timing.

"The most interesting thing is that it seems to have been first exploited on Patch Tuesday," Greenbaum said. "If that's the case, then it's a safe bet that they timed it so that at the least they'd have a month before a patch is released."

"There are usually a couple of these floating around," noted Moore in an e-mail today. "I think the media focus is related to the Microsoft Tuesday timing more than anything else." During his research, Moore uncovered two Chinese servers that were serving malicious code, and noted that the exploits had been last modified Sunday and yesterday.

Symantec recommended that users enable DEP (data execution prevention) in IE and disable JavaScript. The former can be done by calling up Internet Options from IE's Tools' menu, clicking the Advanced tab, then checking the box marked, "Enable memory protection to help mitigate online attacks."

Microsoft didn't promise a patch, but said it might produce one. "Once we're done investigating, we will take appropriate action to help protect customers," said the company's spokesman. "This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitybugsInternet Explorer

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?