Skip to main content

Serious Flaw In IE7 Still Lingers

Apparently, Microsoft has yet to patch a serious security hole in all versions of Internet Explorer, allowing hijackers to take control of consumers PCs.

Last week Microsoft announced that it was still investigating attacks against a new zero-day vulnerability in all builds of Internet Explorer. However, as of this writing, the company has yet to release a fix, thus leaving millions of Internet surfers vulnerable when using the browser. In essence, Internet Explorer's security hole can result in a "full compromise of an affected system," as stated by the Shadowserver Foundation. With the right financial backing, this desktop disaster could become an electronic massacre on a global scale.

According to Trend Micro, the vulnerability leaves end-users wide open to hijackers after visiting web sites infected with malicious JavaScript called "JS_DLOAD.MD." Once the JavaScript succeeds in its exploit, it then triggers a series of redirections to multiple URLs, then finally settling on one of several different domains. Supposedly, the toolkit associated with this evil JavaScript is rumored to being sold in the Chine underground community. "This is quite logical, since TSPY_ONLINEG variants are notorious info-stealers — particularly stealing credentials related to online games, which in turn are very popular in China," said the company in this blog.

Trend Micro took advantage of Microsoft's lack of security support by pimping its Smart Protection Network program, claiming that its service delivered immediate protection to customers by blocking access to the malicious URLs. However Microsoft turned around and released a Security Advisory, offering details on how to enable a workaround until Microsoft releases an official patch. Many of the workarounds offered include setting the Internet and Local Internet security zone settings to "High," disabling XML Island functionality, disabling Active Scripting and more.

"We are actively investigating the vulnerability that these attacks attempt to exploit," says Microsoft. "We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

While Microsoft should be commended for its work in dealing with security issues, consumers should stay aware that Windows-based products remain at the forefront of most attacks, as both the operating system and the browser reside on most consumer PCs. End-users are catching on however, as Mozilla's Firefox has taken the lead in the browser wars in November, enticing a whopping 44.2 percent of Internet users. Microsoft's Internet Explorer 7 comes in second, taking up 26.6 percent of the market, followed by Internet Explorer 6 with 30 percent. The three other contenders: Chrome, Opera and Safari, didn't even break into double-digit percentages.

The best thing for consumers to do at the moment is not use any version Microsoft's Internet Explorer. Keep the operating system update, Internet security software updated, and follow Microsoft's recommendations if using Internet Explorer is a necessity. If required, head to Shadowserver's list of IP addresses and make sure those numbers are blocked.

UPDATE: Microsoft released a Cumulative Security Update this morning that may very well address the issue. "This security update resolves four privately reported vulnerabilities," says Microsoft."The vulnerabilities could allow remote code execution if a user views aspecially crafted Web page using Internet Explorer. Users whoseaccounts are configured to have fewer user rights on the system couldbe less impacted than users who operate with administrative user rights."

Find out more here.