Sign in with
Sign up | Sign in

Microsoft Rushes to Patch 'Serious' Flaw in IE6, IE7

By - Source: Tom's Hardware US | B 16 comments

Microsoft is rushing to patch what's described as a serious flaw in Internet Explorer 6 and Internet Explorer 7 after the code for exploiting the security hole was published online.

Microsoft has announced that it is currently testing a patch for an IE6 and IE7 flaw after the exploitation code was made public by Israeli security researcher Moshe Ben Abu. Though the next Patch Tuesday is not until early April, Microsoft's Jerry Bryant said the release of the code means there would likely be a patch before then.

"We have seen speculation that Microsoft might release an update for this issue out-of-band," Bryant, a senior communications manager with the Microsoft Security Response Center (MSRC) wrote in a blog post. "I can tell you that we are working hard to produce an update which is now in testing," he said, adding, " This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows."

Microsoft warned users of the vulnerability last week, only to have research Moshe Ben Abu release the exploitation code the next day. The vulnerability is said to exist due to an invalid pointer reference being used within IE. MS says it is possible for the invalid pointer to be accessed after an object is deleted.

"In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution," Microsoft said in its advisory.

Microsoft has released an automated workaround but the Fix It is only effective for users running Windows XP and Windows Server 2003.

Read Bryant's full blog post here. Click here to access the Fix It page.

Display 16 Comments.
This thread is closed for comments
Top Comments
  • 21 Hide
    Hellbound , March 15, 2010 5:24 PM
    I thought IE6 was put to pasture..
  • 15 Hide
    doomtomb , March 15, 2010 5:51 PM
    I know a faster patch: upgrade to IE8 or better yet, get Firefox.
Other Comments
  • 21 Hide
    Hellbound , March 15, 2010 5:24 PM
    I thought IE6 was put to pasture..
  • 5 Hide
    JohnnyLucky , March 15, 2010 5:42 PM
    IE6? Is it still alive and well? I thought it would have faded away by now.
  • 5 Hide
    lightsaber , March 15, 2010 5:45 PM
    I thought IE6 support was done away with??
  • 15 Hide
    doomtomb , March 15, 2010 5:51 PM
    I know a faster patch: upgrade to IE8 or better yet, get Firefox.
  • -6 Hide
    Regulas , March 15, 2010 5:57 PM
    Even if you don't use IE, MS has the browser tied to the OS at the kernel level, scary. Another reason to use Linux or a Mac.
  • -2 Hide
    Regulas , March 15, 2010 5:58 PM
    Kernel level attachment gives the FEDS their back door to your computer.
  • 8 Hide
    NapoleonDK , March 15, 2010 5:59 PM
    I understand a little about code execution and pointers and data structures/tables ect from back in high school, but what exactly does "remote code execution" mean?

    In my circle of friends it's mostly just twisted around into a dirty joke...

    Bill: "I'll remotely execute YOUR code!"
    Ted: "I'll remotely execute your MOM'S code!"
    Bill: "I'm gonna remotely execute YOUR FACE right now!"

    Admin: "If you two don't calm down, I'll remotely execute all your base, then lock and sticky this as an example of why today's games all cater towards console kiddies!!!"
  • 2 Hide
    brendano257 , March 15, 2010 6:01 PM
    In other news: The only way to fix IE is to change to Firefox or Chrome. Any other method is avoiding the fact that IE is just an awful browser.
  • 3 Hide
    brendano257 , March 15, 2010 6:02 PM
    NapoleonDKI understand a little about code execution and pointers and data structures/tables ect from back in high school, but what exactly does "remote code execution" mean?"


    Remote Code Execution: Someone is running code on your computer through another computer/network/system. So they can run what they want on your computer without sitting in that chair, that's all it is.
  • 0 Hide
    NapoleonDK , March 15, 2010 6:11 PM
    brendano257...that's all it is.

    Appreciate it man, have a nice one. +1

    So say someone has this remote capability, what are they gonna do with it? What's the goal? Initiate file transfer/download botnet client? And why do people pursue vulnerabilities like this? Is there money in it for them? Or are they just doing it to be a pain in the nethers?
  • 0 Hide
    nforce4max , March 15, 2010 6:24 PM
    Get the concrete already its been long enough for that zombie that is IE6.
    Why six feet of dirt when it can be six feet of solid reliable concrete.
  • 0 Hide
    slayerz636 , March 15, 2010 6:47 PM
    long live xp lol
  • -1 Hide
    JonnyDough , March 15, 2010 10:52 PM
    Now if they could just get IE8 to work without crashing. I have to restart IE8 after leaving tabs up for a day or two. It isn't just Vista or XP. It happens on both.
  • 0 Hide
    OvrClkr , March 15, 2010 11:33 PM
    I use Opera and to this date I have not seen a crash. IE and FF crash on a daily basis...
  • -1 Hide
    razor512 , March 16, 2010 3:16 AM
    Some people with IE6 generally keep it because upgrading to IE7 or 8 would mean that you lose the ability to have FTP folders on your desktop which can easily be read from or written to.

    theres no need to upgrade and lose that functionality if you use firefox as your main browser.
  • -1 Hide
    daggs , March 16, 2010 4:00 AM
    hey! IE6 supposes to be dead! I want my flowers back! I've wasted a lot of money on the funeral's flower setup!
    who the hell he think he is?a celebrity?