Recent exploits regarding the Internet Explorer HTML handling vulnerability.

Hi everyone, Stepto here.  Today the MSRC became aware of public reports of attacks on some PC users utilizing the vulnerability that Lennart posted about in Internet Explorer.

Here’s what we know. The attacks are limited in scope for now and are being carried out by malicious Web sites exploiting a vulnerability in the method by which Internet Explorer handles HTML rendering. To be clear, and as our advisory states, the vulnerability affects currently supported versions of Windows 2000, Windows XP and Windows Server 2003.

So.  What are the IE team and the MSRC doing right now?  Well, first off we’re working day and night on development of a cumulative security update for Internet Explorer that addresses the vulnerability.  As we’ve been told many times, the focus should be on quality, but with a clear eye towards time. The security update is currently being finalized through testing to ensure the level of interoperability and application and web compatibility needed.  Right now, the update is on schedule testing wise to be released (meeting the quality goals customers have asked for) as part of the April security updates on April 11, 2006.  But as I said, we’re actively keeping an eye on any attempts to utilize this in an attack.  We’ll release it sooner if warranted.

Right now we’re monitoring the attempts to exploit this vulnerability and we’re working with our industry partners and law enforcement to remove the malicious Web sites using the vulnerability as they pop up. That’s a key point because it’s important that we work to limit the ability of attackers to utilize this vulnerability in criminal attacks.

I want to caution everyone that they should take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code.  If you are concerned about exploitation of the vulnerability by websites you frequently visit though, you should follow the guidance on safe browsing at:

Enterprise customers should review our recent Security Advisory (917077) for up-to-date guidance on how to prevent attacks through exploitation of this vulnerability while we work on the update.  

One other thing to note.  Everyone should know that the security update addressing this vulnerability is a cumulative update that contains all previous security updates for Internet Explorer, new security updates for issues unrelated to the current attacks, as well as minor non-security related changes to how Internet Explorer handles some Web pages that use ActiveX controls.

For more information on these changes, you should check out security advisory 912945.

The MSRC and your Internet Explorer team is working on this issue day and night.  This is an ongoing issue and we will post more guidance as it becomes available.


*This posting is provided “AS IS” with no warranties, and confers no rights.*