Today we released Security Advisory 981374 addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is not affected by this issue. Customers using Internet Explorer 6 or 7 should upgrade to Internet Explorer 8 immediately to benefit from the improved security features and defense in depth protections. Additionally, Internet Explorer 5.01 on Windows 2000 is not affected.
At this time, we are aware of targeted attacks seeking to exploit this vulnerability against Internet Explorer 6. Internet Explorer Protected Mode in Internet Explorer 7 running on Windows Vista helps to mitigate the impact of this issue. Additionally, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. Please review the Security Advisory for additional workarounds which include modifying the Access Control List (ACL) on iepeers.dll (the affected component), setting the Internet and local Intranet security zones to “high”, configuring Internet Explorer to prompt before running Active Scripting, and enabling Data Execution Prevention (DEP) where possible which makes it difficult to successfully exploit the vulnerability.
As always, we are investigating this issue and will take appropriate action to protect customers when we have finalized a solution. This may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.
We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.
The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.
Please review the advisory for additional details and if the situation changes, we will provide an update here on the MSRC blog.
Sr. Security Communications Manager Lead
*This posting is provided “AS IS” with no warranties, and confers no rights.*