New Flaw could affect Internet Explorer 6, 7 and 8

Microsoft issued a new security advisory on Wednesday, warning of a potential flaw in Internet Explorer which could allow third-parties access to data.

"Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location." Microsoft said in the security advisory.

This comes after an out-of-band patch was released for Internet Explorer to patch a vulnerability, details of which were released by Google in January after a targeted attack upon them which resulted in the theft of intellectual property. The attack led Google to announce it would be withdrawing support for Internet Explorer 6.

The new vulnerability affects IE 5.01 and IE 6 on Windows 2000, IE 6 on Windows 2000 SP4 and IE6, IE7 and IE8 on Windows XP and Windows 2003. It could also affect Internet Explorer 7 and IE 8 on Windows Vista, Windows 7 and Windows Server 2008 if a user opts to disable protected mode or, in the case of Windows Server 2003 and 2008, is not running IE in Enhanced Security Configuration.

"The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites." Microsoft's security advisory explains.

No exploits have yet been reported to take advantage of the vulnerability so it remains to be seen whether Microsoft will deem it necessary to release another out-of-band patch or wait for the scheduled release day of February 9th.

Report a problem with article
Previous Story

Dropbox coming to Android and BlackBerry

Next Story

Microsoft set to fix 17 year old Windows vulnerability next week

63 Comments

View more comments

Relativity_17 said,
Wait, let me get this straight.

In Vista and 7, if you turn off a feature designed to protect you, you become more vulnerable to attacks? What a novel idea.

Yep. Nice business model doesn't it?. Like "We make your OS more "secure" by creating new futures you can disable". So security depends exclusively ON THE USER not in the Operative System. It's about educating people about tell them how to use the software not forcing them to buy something that won't fix this all Flaw/Fix/buy/ scheme.

Mocosoft said,

Yep. Nice business model doesn't it?. Like "We make your OS more "secure" by creating new futures you can disable". So security depends exclusively ON THE USER not in the Operative System. It's about educating people about tell them how to use the software not forcing them to buy something that won't fix this all Flaw/Fix/buy/ scheme.

And if MS forces the protected mode and a addin from vendor XYZ no longer works because an idiot coded without regard to security, then they run to the media and the EU and the US Attorney general screaming MONOPOLY tactics...

So either Microsoft gives people TOO much control or TOO little control? WTF?

Mocosoft said,
Yep. Nice business model doesn't it?. Like "We make your OS more "secure" by creating new futures you can disable". So security depends exclusively ON THE USER not in the Operative System. It's about educating people about tell them how to use the software not forcing them to buy something that won't fix this all Flaw/Fix/buy/ scheme.
huh? Are you suggesting some kind of conspiracy whereby MS giving users OS options is a way to get them to buy stuff? The UAC options are there for users, because users demanded them. I'm sure MS would have preferred to not have the switch at all.

thenetavenger said,

And if MS forces the protected mode and a addin from vendor XYZ no longer works because an idiot coded without regard to security, then they run to the media and the EU and the US Attorney general screaming MONOPOLY tactics...

So either Microsoft gives people TOO much control or TOO little control? WTF?

It's not monopoly. It's just about who's the big company here. And if they are well, thats a problem for those who work with them or want to program for them. New updates on the OS require code writers to update their development tools or understand new security schemes, and thats Money they will have to pay to MS for knowledge or licenses issues.

Kirkburn said,
huh? Are you suggesting some kind of conspiracy whereby MS giving users OS options is a way to get them to buy stuff? The UAC options are there for users, because users demanded them. I'm sure MS would have preferred to not have the switch at all.

As they give options they must teach customers how to use them properly. Its about education since they are the ones making the big mess by being the most big selling software company. Its about responsibility tho.

Mocosoft said,
As they give options they must teach customers how to use them properly. Its about education since they are the ones making the big mess by being the most big selling software company. Its about responsibility tho.
It's not like they didn't put warnings on the UAC options, nor do they say "go here, change this!".

Kirkburn said,
It's not like they didn't put warnings on the UAC options, nor do they say "go here, change this!".

A warning its an option/choose/decision that at the end the USER will have to take. So that's not enough. Microsoft NEEDS to teach their customers how to use properly windows. But that's something they won't do, that would involve more money for them to spend.

Edited by Mocosoft, Feb 4 2010, 11:58pm :

So, Microsoft don't patch 2 year old vulnerabilities, then 2 years later tell customers they have a black hole on the desktop and you must hurry to get an update (Which won't appear quick) or switch an option in their software. Not every person read this kind of news or this information gets spread for everyone who actually uses IE. So Nice move to promote marketing by getting people to get Vista or W7.

/imnotafanboyofanyOS.

Mocosoft said,
So, Microsoft don't patch 2 year old vulnerabilities, then 2 years later tell customers they have a black hole on the desktop and you must hurry to get an update (Which won't appear quick) or switch an option in their software. Not every person read this kind of news or this information gets spread for everyone who actually uses IE. So Nice move to promote marketing by getting people to get Vista or W7.
A flaw that affects XP, Vista and Win7 - the latter two via a user-set option - is a method to get people to get people to upgrade to ... Vista and Win7? I'm sorry, your logic makes no sense.

Edited by Kirkburn, Feb 4 2010, 9:08pm :

Kirkburn said,
A flaw that affects XP, Vista and Win7 - the latter two via a user-set option - is a method to get people to get people to upgrade to ... Vista and Win7? I'm sorry, your logic makes no sense.

A user-set option ordinary customers DON'T KNOW how to use in the correct way!. Microsoft must invest in education!.

Mocosoft said,
A user-set option ordinary customers DON'T KNOW how to use in the correct way!. Microsoft must invest in education!.
What does that even mean? Education how? Do you mean within Windows, or outside Windows?

Tbh, an OS shouldn't need a manual.

Edited by Kirkburn, Feb 4 2010, 10:25pm :

Kirkburn said,
What does that even mean? Education how? Do you mean within Windows, or outside Windows?

Tbh, an OS shouldn't need a manual.

The OS needs a manual. Thats the whole damn problem. Not everyone has the same understanding skills as you to "O"perate the "S"ystem.

Mocosoft said,
The OS needs a manual. Thats the whole damn problem. Not everyone has the same understanding skills as you to "O"perate the "S"ystem.
So I still don't understand what you want. Which is better: the OS being designed so that a manual isn't required, or creating a manual? I'd go for the former, which is what MS and Apple already spend time doing.

Kirkburn said,
So I still don't understand what you want. Which is better: the OS being designed so that a manual isn't required, or creating a manual? I'd go for the former, which is what MS and Apple already spend time doing.

They way to go inevitably its Open source. That won't happen in a while, but that's the future of programming. So that way, users won't need of patches anymore or manuals, cause they will KNOW how to USE IT and correct the problems. That's why I say MS needs to educate people about how their OS works. But this is all just Utopia.

Mocosoft said,
They way to go inevitably its Open source. That won't happen in a while, but that's the future of programming. So that way, users won't need of patches anymore or manuals, cause they will KNOW how to USE IT and correct the problems. That's why I say MS needs to educate people about how their OS works. But this is all just Utopia.
Wow, that is not what I was expecting.

No, open source does not mean people will know how to use it, nor that they won't need patches or manuals. They are entirely separate, essentially unrelated concepts.

It's not like using Firefox means I know more about patching or hacking browsers, or that the open source nature automatically means it's easier to use.

Don't get me wrong, open source is good - but it won't solve those issues.

Edited by Kirkburn, Feb 5 2010, 1:16am :

Mocosoft said,

They way to go inevitably its Open source. That won't happen in a while, but that's the future of programming. So that way, users won't need of patches anymore or manuals, cause they will KNOW how to USE IT and correct the problems. That's why I say MS needs to educate people about how their OS works. But this is all just Utopia.

Kirkburn, I believe what he speaks of is refered to as a utopian state. In this techno-illiterate world the MS, APPLE, FOSS userbases would actually have to WANT to know how to use the system they have chosen. Just because someone can code, dosn't mean they no how to set up a network and secure it. They learn what they want and rarely stray from this scenario.

Edited by basix, Feb 5 2010, 1:03am : After-thought

basix said,

Kirkburn, I believe what he speaks of is refered to as a utopian state. In this techno-illiterate world the MS, APPLE, FOSS userbases would actually have to WANT to know how to use the system they have chosen. Just because someone can code, dosn't mean they no how to set up a network and secure it. They learn what they want and rarely stray from this scenario.

Exactly. Programming should be a common subject in every school. We are in a tech-world already, so there should be lots of emphasis on this.

Mocosoft said,

Exactly. Programming should be a common subject in every school. We are in a tech-world already, so there should be lots of emphasis on this.

Programming is and has been offered just as shop or woodwork where I come from and I went to school in the early nineties! It is up to the user take interest in it. In my utopian world you would need a class and a certificate to take your ass onto the (yes im going to say it) information super-highway. When I think about purchasing an OS I see it as what fits the users needs. Education falls upon the user. If Apple wants to dumb down their OS to appease their masses then let them! The user probably dosn't want to dig deep into the OS and more to the point they don't know that they can or even why they would. Microsoft is no more responsible for a users actions due to a user being under educated. FOSS, even more so. The latter two just happen to give you more rope to hang yourself with.

basix said,

Programming is and has been offered just as shop or woodwork where I come from and I went to school in the early nineties! It is up to the user take interest in it. In my utopian world you would need a class and a certificate to take your ass onto the (yes im going to say it) information super-highway. When I think about purchasing an OS I see it as what fits the users needs. Education falls upon the user. If Apple wants to dumb down their OS to appease their masses then let them! The user probably dosn't want to dig deep into the OS and more to the point they don't know that they can or even why they would. Microsoft is no more responsible for a users actions due to a user being under educated. FOSS, even more so. The latter two just happen to give you more rope to hang yourself with.

"Education falls upon the user." Thats the big issue. Education should be from those like local Government and big companies that have the capital to do so.

This isn't hand-holding 101. It could be argued that driving is a dangerous and challenging task for people. They read a book and take a test; And pay for it! Over and over again! And if this isn't enough, there are full-blown courses to correct and educate those who don't get it.

Now you're saying that a governments and companys should educate the masses who seem to have found a new hobby. Cause that's what a computer at home is, a hobby device. When a user manages to wraggle some features out of it, it becomes usefull to the user and the hobby becomes enjoyable.

I will remind you that those highschool classes are elective's. The user's elected themselves out of education. I as a taxpayer should pay for this! Ha!

http://operation420.net/forum/viewtopic.php?f=16&t=1323

Just when I post I was gonna give IE a chance...

If I keep up with updates will it be fine? I can't let this stop me from using iE. I probably should get used to using it...

It could also affect Internet Explorer 7 and IE 8 on Windows Vista, Windows 7 and Windows Server 2008 [b]if a user opts to disable protected mode[/b]

Stupid comments from Neowin users that cannot read make me cry...

RealFduch said,

Stupid comments from Neowin users that cannot read make me cry...


Turn off User Account Control will automatically disable IE Protected Mode in Vista.

and most program (even Microsoft programs) ask for disable the UAC.

Commenting is disabled on this article.