Following the public release of exploit code that attacks Internet Explorer 6 and 7, Microsoft has advised that all users upgrade to the latest version of the web browser, which remains unaffected by the exploit that can result in remote takeover of the user’s computer.
A workaround to avoid the exploit was added last Wednesday with a Microsoft Fix to automate this workaround for Windows XP and Windows Server 2003 customers.
Meanwhile, an automatic update may be issued in time for Patch Tuesday: “We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows,” said Jerry Bryant, senior security communications manager lead with Microsoft.
The exploit takes advantage of a vulnerability within the browser due to an invalid pointer reference that in certain circumstances can allow for the pointer to be accessed after an object is deleted by the executing code on the host computer, possibly taking over the computer entirely.
“At this time, we are aware of targeted attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes,” said Microsoft.
By Marie Boran