|Zero Day Threat: Microsoft Security Advisory For IE 6, 7, 8|
Zero Day Threat: Microsoft Security Advisory For IE 6, 7, 8 [blogs.technet.com]
|Today we released Security Advisory 2458511 to address a new vulnerability that could impact Internet Explorer users if they visit a website hosting malicious code. As of now, the impact of this vulnerability is extremely limited and we are not aware of any affected customers. The exploit code was discovered on a single website which is no longer hosting the malicious code. When a website is discovered to host malicious software, we work through legal channels to take the site down. These kinds of attempts to exploit systems and the people using technology are the activity of criminals. Microsoft takes this very seriously and where possible, we will take legal action against those responsible. |
Internet Explorer 9 Beta users are not affected by this issue and any customers who wish to upgrade their browser to this version can do so freely at www.microsoft.com/ie. Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue.
Security Advisory 2458511? Does this mean that there have been almost 2.5 million of them since IE came out?
Probably not, but damn funny either way.
A single mysterious site was somehow monitored using mysterious methods and suggests IE6, 7 and 8 users need to switch to 9.
What is this, the second grade rumor mill?
|The security flaw resides in a part of IE that handles CSS, or Cascading Style Sheets, tags. As a result, the browser under-allocates memory, allowing data to be overwritten in memory vtable pointers. By spraying memory with special data, an attacker can cause IE to execute code. |
The report is the latest reminder of the benefits of moving to the latest version of IE – or to a different browser altogether. Those who must use IE versions 6 or 7, should consider augmenting it with EMET, Microsoft's tool for locking down older applications. It can be used to add DEP and other security mitigations to a variety of programs, including IE and Adobe Reader.
Not so much rumor mill, but a heads up...
More vagueness even in that article...
|'More than a few organizations' hit |
I can cause my website to execute code on your monitor too, lol.
IE comes with various methods for over-ride control and auto-updating that IE6 does not have thus making IE6 more secure (albeit against MS and authorities) than IE9 in different ways.
Which is the greater of two evils here? I'd like to see this supposed security flaw reproduced by a credible 3rd party before I listen, that's all.