Topic: New Flaw could affect Internet Explorer 6, 7 and 8

[Samker]

Microsoft issued a new security advisory on Wednesday, warning of a potential flaw in Internet Explorer which could allow third-parties access to data.: http://www.microsoft.com/technet/security/advisory/980088.mspx

"Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location." Microsoft said in the security advisory.

This comes after an out-of-band patch was released for Internet Explorer to patch a vulnerability, details of which were released by Google in January after a targeted attack upon them which resulted in the theft of intellectual property. The attack led Google to announce it would be withdrawing support for Internet Explorer 6.

The new vulnerability affects IE 5.01 and IE 6 on Windows 2000, IE 6 on Windows 2000 SP4 and IE6, IE7 and IE8 on Windows XP and Windows 2003. It could also affect Internet Explorer 7 and IE 8 on Windows Vista, Windows 7 and Windows Server 2008 if a user opts to disable protected mode or, in the case of Windows Server 2003 and 2008, is not running IE in Enhanced Security Configuration.

"The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites." Microsoft's security advisory explains.

No exploits have yet been reported to take advantage of the vulnerability so it remains to be seen whether Microsoft will deem it necessary to release another out-of-band patch or wait for the scheduled release day of February 9th.

(NeoWin)