Microsoft warns of new zero-day exploit for Internet Explorer

Microsoft has posted a new warning about an exploit that affects its Internet Explorer browser.  The zero-day vulnerability, which is already being exploited in the wild, allows for malicious users to install malware on a vulnerable machine.

According to CRN.com, the vulnerable “systems include Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7. However, Microsoft said that so far, Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected.”

The exploit occurs when there is an invalid pointer reference.  This reference could allow for malicious users to install and launch malware when the object reference is deleted. Microsoft said that the current attacks appear to be targeted but they are currently working towards a fix. 

For any user that is still using a legacy version of Internet Explorer, this is one more compelling reason to upgrade your version to IE 8.  By upgrading to IE 8, you are removing one more potential exploit that could allow malware to be installed on your machine.

Report a problem with article
Previous Story

Electronic Arts signs publishing deal with "38 Studios"

Next Story

Use Windows Live Writer from a flash drive

35 Comments

Commenting is disabled on this article.

This particular exploit requires Windows 2000 Service Pack 4, that was four operating systems ago for desktops! I don't know of any businesses that are still running WIN 2000, even if they are running outdated browsers.

Microsoft should release an optional update to IE8 which comes with an IE6 mode for group policy defined domains. That way if someone is accessing a website from the defined list then it's just a case of switching rendering engines. Boom! Corporate software issues solved - no reason not to upgrade to IE8. I reckon that'd cover a good half of IE6 users. The other half will eventually upgrade when they can't use youtube anymore.

this is just another reason to ditch IE and only use it as needed but increase the security of it(though some sites won't work) and IE6 blows and needs to be ripped apart piece by piece.

Scary part is in the last week i've upgraded 4 PCs from IE6... I just don't get it. They don't know about the upgrade? lol

Klethron said,
Oh good I'm stoked that Internet Explorer 5.01 Service Pack 4 isn't affected :P
Whoooooo! Hippy party, my place.! Don't brother trying to find it!

I think the thing that is commonly being overlooked here is that some organizations have specialized software that requires IE6. We have a specialized radiology viewing application that requires IE6. The vendor has a new version of the software in beta, but it won't be released until the end of April. So, after testing and everything we might be lucky to have it installed by June 1st.

Until browsers like Firefox and Chrome offer corporate policy control that rivals IE, you will never see these browsers take off in the larger environments. It's that simple.

we still use IE6 in work for all web interface apps. So annoying. I use chrome for browsing in work though

Only Cabron would say that + be the first to post in the comments about a IE story :).

This is problems with IE6 SP1 on Windows 2000 but it's a weird story too. It doesn't mention XP with but i'm guessing it's affected in XP too cuz i don't think you can install IE7 on Windows 2000. I'm not sure if Vista IE7 is also included so let's just say, upgrade to Chrome, Firefox and IE8 and this wont be an issue!

XP SP2 here with IE7. Looks like my corporation needs to get on updating. Oh wait, our security filter prevents us from going to malicious websites :S

A lot of the IE6 users, in fact I;d even go so far as to say a majority of them are corporate entities that are still using XP SP3. In SP4, if there ever is one needs to include IE8.

babyHacker said,
A lot of the IE6 users, in fact I;d even go so far as to say a majority of them are corporate entities that are still using XP SP3. In SP4, if there ever is one needs to include IE8.

I seriously doubt there will be a Service Pack 4 for Windows XP.

este said,
What's even better that support for IE6 has now ended. So now people will actually have to move on.

The 20% of people who still use IE6 are non techi people and have no clue about the vulnerability that exist in IE6. So even if the support ends its hard to move them of IE6. If i see any IE6 in my company and if i have access to that PC I download and install IE8

still1 said,

The 20% of people who still use IE6 are non techi people and have no clue about the vulnerability that exist in IE6. So even if the support ends its hard to move them of IE6. If i see any IE6 in my company and if i have access to that PC I download and install IE8

which justifies the demand to put the browser ballot screen to all billion windows users.

So we can give people the choice they *already have* to install other browsers that are just as susceptible to flaws?

ilev said,

which justifies the demand to put the browser ballot screen to all billion windows users.


Seriously? If the browser ballot screen had appeared in Win XP then people who chose IE6 would still have this exploit.
Nice how you think through your comment before posting :)

still1 said,

The 20% of people who still use IE6 are non techi people and have no clue about the vulnerability that exist in IE6. So even if the support ends its hard to move them of IE6. If i see any IE6 in my company and if i have access to that PC I download and install IE8

Most IE6 users are business users that are not allowed to update to IE7/8 simply because the Windows Update is blocked via Group Policy. With the browser becoming unsupported, I imagine that this block is loosening up. In most other big companies, the Group Policy should be configured to force updates upon users (to install when they're ready, but install nonetheless).

Hackersoft MS MVP said,

Seriously? If the browser ballot screen had appeared in Win XP then people who chose IE6 would still have this exploit.
Nice how you think through your comment before posting :)

IE6 is still the most used browser and is still bundled with XP SP3. Every Windows user in the world should get the ballot screen so he can switch to FF, Chrome , opera or IE8 and away from IE6/IE7 if he uses one.

still1 said,

The 20% of people who still use IE6 are non techi people and have no clue about the vulnerability that exist in IE6. So even if the support ends its hard to move them of IE6. If i see any IE6 in my company and if i have access to that PC I download and install IE8

What about the businesses that still are forced to use IE6 because of the software/programs they work with? I understand it costs money to make the necessary upgrades happen but shouldn't alot of the IT staffs be looking into something like this? And now that Win 7 is gaining popularity, it's only a matter of time before a lot of these stone age programs are cut off from support and they should know that. Vulnerabilities will always pop up but that is why upgrades/updates are issued...

este said,

What about the businesses that still are forced to use IE6 because of the software/programs they work with? I understand it costs money to make the necessary upgrades happen but shouldn't alot of the IT staffs be looking into something like this? And now that Win 7 is gaining popularity, it's only a matter of time before a lot of these stone age programs are cut off from support and they should know that. Vulnerabilities will always pop up but that is why upgrades/updates are issued...

Businesses can configure IE8 to run in compatibly mode until they replace the Dependant applications, or, for security, run those applications and IE6 in VM.

Edited by ilev, Mar 10 2010, 4:06pm :

ilev said,

Businesses can configure IE8 to run in compatibly mode until they replace the Dependant applications, or, for security, run those applications and IE6 in VM.

Most companies will only upgrade their IE6 infrastructure when they get hit hard by a vulnerability. Basically when it cost them more money to do the clean up and stick with IE 6 then it would to upgrade. For most that would mean either a system wide attack or being sued because they knew about a vulnerability and did not fix it and some personal information got leaked that would not have if the company would have fixed the problem, as in applying a security update or upgrading the browser.

Edited by war, Mar 11 2010, 3:25am :