New Flaw could affect Internet Explorer 6, 7 and 8

Microsoft issued a new security advisory on Wednesday, warning of a potential flaw in Internet Explorer which could allow third-parties access to data.

"Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location." Microsoft said in the security advisory.

This comes after an out-of-band patch was released for Internet Explorer to patch a vulnerability, details of which were released by Google in January after a targeted attack upon them which resulted in the theft of intellectual property. The attack led Google to announce it would be withdrawing support for Internet Explorer 6.

The new vulnerability affects IE 5.01 and IE 6 on Windows 2000, IE 6 on Windows 2000 SP4 and IE6, IE7 and IE8 on Windows XP and Windows 2003. It could also affect Internet Explorer 7 and IE 8 on Windows Vista, Windows 7 and Windows Server 2008 if a user opts to disable protected mode or, in the case of Windows Server 2003 and 2008, is not running IE in Enhanced Security Configuration.

"The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites." Microsoft's security advisory explains.

No exploits have yet been reported to take advantage of the vulnerability so it remains to be seen whether Microsoft will deem it necessary to release another out-of-band patch or wait for the scheduled release day of February 9th.

Report a problem with article
Previous Story

Dropbox coming to Android and BlackBerry

Next Story

Microsoft set to fix 17 year old Windows vulnerability next week

63 Comments

Commenting is disabled on this article.

It could also affect Internet Explorer 7 and IE 8 on Windows Vista, Windows 7 and Windows Server 2008 [b]if a user opts to disable protected mode[/b]

Stupid comments from Neowin users that cannot read make me cry...

RealFduch said,

Stupid comments from Neowin users that cannot read make me cry...


Turn off User Account Control will automatically disable IE Protected Mode in Vista.

and most program (even Microsoft programs) ask for disable the UAC.

http://operation420.net/forum/viewtopic.php?f=16&t=1323

Just when I post I was gonna give IE a chance...

If I keep up with updates will it be fine? I can't let this stop me from using iE. I probably should get used to using it...

This isn't hand-holding 101. It could be argued that driving is a dangerous and challenging task for people. They read a book and take a test; And pay for it! Over and over again! And if this isn't enough, there are full-blown courses to correct and educate those who don't get it.

Now you're saying that a governments and companys should educate the masses who seem to have found a new hobby. Cause that's what a computer at home is, a hobby device. When a user manages to wraggle some features out of it, it becomes usefull to the user and the hobby becomes enjoyable.

I will remind you that those highschool classes are elective's. The user's elected themselves out of education. I as a taxpayer should pay for this! Ha!

So, Microsoft don't patch 2 year old vulnerabilities, then 2 years later tell customers they have a black hole on the desktop and you must hurry to get an update (Which won't appear quick) or switch an option in their software. Not every person read this kind of news or this information gets spread for everyone who actually uses IE. So Nice move to promote marketing by getting people to get Vista or W7.

/imnotafanboyofanyOS.

Mocosoft said,
So, Microsoft don't patch 2 year old vulnerabilities, then 2 years later tell customers they have a black hole on the desktop and you must hurry to get an update (Which won't appear quick) or switch an option in their software. Not every person read this kind of news or this information gets spread for everyone who actually uses IE. So Nice move to promote marketing by getting people to get Vista or W7.
A flaw that affects XP, Vista and Win7 - the latter two via a user-set option - is a method to get people to get people to upgrade to ... Vista and Win7? I'm sorry, your logic makes no sense.

Edited by Kirkburn, Feb 4 2010, 9:08pm :

Kirkburn said,
A flaw that affects XP, Vista and Win7 - the latter two via a user-set option - is a method to get people to get people to upgrade to ... Vista and Win7? I'm sorry, your logic makes no sense.

A user-set option ordinary customers DON'T KNOW how to use in the correct way!. Microsoft must invest in education!.

Mocosoft said,
A user-set option ordinary customers DON'T KNOW how to use in the correct way!. Microsoft must invest in education!.
What does that even mean? Education how? Do you mean within Windows, or outside Windows?

Tbh, an OS shouldn't need a manual.

Edited by Kirkburn, Feb 4 2010, 10:25pm :

Kirkburn said,
What does that even mean? Education how? Do you mean within Windows, or outside Windows?

Tbh, an OS shouldn't need a manual.

The OS needs a manual. Thats the whole damn problem. Not everyone has the same understanding skills as you to "O"perate the "S"ystem.

Mocosoft said,
The OS needs a manual. Thats the whole damn problem. Not everyone has the same understanding skills as you to "O"perate the "S"ystem.
So I still don't understand what you want. Which is better: the OS being designed so that a manual isn't required, or creating a manual? I'd go for the former, which is what MS and Apple already spend time doing.

Kirkburn said,
So I still don't understand what you want. Which is better: the OS being designed so that a manual isn't required, or creating a manual? I'd go for the former, which is what MS and Apple already spend time doing.

They way to go inevitably its Open source. That won't happen in a while, but that's the future of programming. So that way, users won't need of patches anymore or manuals, cause they will KNOW how to USE IT and correct the problems. That's why I say MS needs to educate people about how their OS works. But this is all just Utopia.

Mocosoft said,
They way to go inevitably its Open source. That won't happen in a while, but that's the future of programming. So that way, users won't need of patches anymore or manuals, cause they will KNOW how to USE IT and correct the problems. That's why I say MS needs to educate people about how their OS works. But this is all just Utopia.
Wow, that is not what I was expecting.

No, open source does not mean people will know how to use it, nor that they won't need patches or manuals. They are entirely separate, essentially unrelated concepts.

It's not like using Firefox means I know more about patching or hacking browsers, or that the open source nature automatically means it's easier to use.

Don't get me wrong, open source is good - but it won't solve those issues.

Edited by Kirkburn, Feb 5 2010, 1:16am :

Mocosoft said,

They way to go inevitably its Open source. That won't happen in a while, but that's the future of programming. So that way, users won't need of patches anymore or manuals, cause they will KNOW how to USE IT and correct the problems. That's why I say MS needs to educate people about how their OS works. But this is all just Utopia.

Kirkburn, I believe what he speaks of is refered to as a utopian state. In this techno-illiterate world the MS, APPLE, FOSS userbases would actually have to WANT to know how to use the system they have chosen. Just because someone can code, dosn't mean they no how to set up a network and secure it. They learn what they want and rarely stray from this scenario.

Edited by basix, Feb 5 2010, 1:03am : After-thought

basix said,

Kirkburn, I believe what he speaks of is refered to as a utopian state. In this techno-illiterate world the MS, APPLE, FOSS userbases would actually have to WANT to know how to use the system they have chosen. Just because someone can code, dosn't mean they no how to set up a network and secure it. They learn what they want and rarely stray from this scenario.

Exactly. Programming should be a common subject in every school. We are in a tech-world already, so there should be lots of emphasis on this.

Mocosoft said,

Exactly. Programming should be a common subject in every school. We are in a tech-world already, so there should be lots of emphasis on this.

Programming is and has been offered just as shop or woodwork where I come from and I went to school in the early nineties! It is up to the user take interest in it. In my utopian world you would need a class and a certificate to take your ass onto the (yes im going to say it) information super-highway. When I think about purchasing an OS I see it as what fits the users needs. Education falls upon the user. If Apple wants to dumb down their OS to appease their masses then let them! The user probably dosn't want to dig deep into the OS and more to the point they don't know that they can or even why they would. Microsoft is no more responsible for a users actions due to a user being under educated. FOSS, even more so. The latter two just happen to give you more rope to hang yourself with.

basix said,

Programming is and has been offered just as shop or woodwork where I come from and I went to school in the early nineties! It is up to the user take interest in it. In my utopian world you would need a class and a certificate to take your ass onto the (yes im going to say it) information super-highway. When I think about purchasing an OS I see it as what fits the users needs. Education falls upon the user. If Apple wants to dumb down their OS to appease their masses then let them! The user probably dosn't want to dig deep into the OS and more to the point they don't know that they can or even why they would. Microsoft is no more responsible for a users actions due to a user being under educated. FOSS, even more so. The latter two just happen to give you more rope to hang yourself with.

"Education falls upon the user." Thats the big issue. Education should be from those like local Government and big companies that have the capital to do so.

Wait, let me get this straight.

In Vista and 7, if you turn off a feature designed to protect you, you become more vulnerable to attacks? What a novel idea.

Relativity_17 said,
Wait, let me get this straight.

In Vista and 7, if you turn off a feature designed to protect you, you become more vulnerable to attacks? What a novel idea.

Yep. Nice business model doesn't it?. Like "We make your OS more "secure" by creating new futures you can disable". So security depends exclusively ON THE USER not in the Operative System. It's about educating people about tell them how to use the software not forcing them to buy something that won't fix this all Flaw/Fix/buy/ scheme.

Mocosoft said,

Yep. Nice business model doesn't it?. Like "We make your OS more "secure" by creating new futures you can disable". So security depends exclusively ON THE USER not in the Operative System. It's about educating people about tell them how to use the software not forcing them to buy something that won't fix this all Flaw/Fix/buy/ scheme.

And if MS forces the protected mode and a addin from vendor XYZ no longer works because an idiot coded without regard to security, then they run to the media and the EU and the US Attorney general screaming MONOPOLY tactics...

So either Microsoft gives people TOO much control or TOO little control? WTF?

Mocosoft said,
Yep. Nice business model doesn't it?. Like "We make your OS more "secure" by creating new futures you can disable". So security depends exclusively ON THE USER not in the Operative System. It's about educating people about tell them how to use the software not forcing them to buy something that won't fix this all Flaw/Fix/buy/ scheme.
huh? Are you suggesting some kind of conspiracy whereby MS giving users OS options is a way to get them to buy stuff? The UAC options are there for users, because users demanded them. I'm sure MS would have preferred to not have the switch at all.

thenetavenger said,

And if MS forces the protected mode and a addin from vendor XYZ no longer works because an idiot coded without regard to security, then they run to the media and the EU and the US Attorney general screaming MONOPOLY tactics...

So either Microsoft gives people TOO much control or TOO little control? WTF?

It's not monopoly. It's just about who's the big company here. And if they are well, thats a problem for those who work with them or want to program for them. New updates on the OS require code writers to update their development tools or understand new security schemes, and thats Money they will have to pay to MS for knowledge or licenses issues.

Kirkburn said,
huh? Are you suggesting some kind of conspiracy whereby MS giving users OS options is a way to get them to buy stuff? The UAC options are there for users, because users demanded them. I'm sure MS would have preferred to not have the switch at all.

As they give options they must teach customers how to use them properly. Its about education since they are the ones making the big mess by being the most big selling software company. Its about responsibility tho.

Mocosoft said,
As they give options they must teach customers how to use them properly. Its about education since they are the ones making the big mess by being the most big selling software company. Its about responsibility tho.
It's not like they didn't put warnings on the UAC options, nor do they say "go here, change this!".

Kirkburn said,
It's not like they didn't put warnings on the UAC options, nor do they say "go here, change this!".

A warning its an option/choose/decision that at the end the USER will have to take. So that's not enough. Microsoft NEEDS to teach their customers how to use properly windows. But that's something they won't do, that would involve more money for them to spend.

Edited by Mocosoft, Feb 4 2010, 11:58pm :

The new vulnerability affects IE 5.01 and IE 6 on Windows 2000, IE 6 on Windows 2000 SP4 and IE6, IE7 and IE8 on Windows XP and Windows 2003. It could also affect Internet Explorer 7 and IE 8 on Windows Vista, Windows 7 and Windows Server 2008 if a user opts to disable protected mode or, in the case of Windows Server 2003 and 2008, is not running IE in Enhanced Security Configuration.

THE END OF THE ROAD FOR IE6 AND XP.
For Vista and 7 users there's no problem.

So let me get this straight. If I use vista/7 with ie8 and i decide for whatever reason to turn of the protection options on ie8 i become prone to exploits?

What ever happened to common sense?

Einlander said,
So let me get this straight. If I use vista/7 with ie8 and i decide for whatever reason to turn of the protection options on ie8 i become prone to exploits?

What ever happened to common sense?

Some poorly written web applications and plugins (such as Belkin's KVM-over-IP solutions!) require that protected mode be switched off. This is a head's up for people who've forgotten to switch it back on, I guess.

aznkid25 said,
Here is a temporary fix from MS:
http://support.microsoft.com/default.aspx/kb/980088

Good catch, but be aware that these aren't 'fixes' merely workarounds and may cause unexpected behaviour if you're not aware of what it does.

Northgrove said,
Sure sucks to be on XP and using IE these days. :p

Sure sucks to be on XP these days. They can keep their decade-old OS, I'm content with something a little more modern.

Edited by SkinAddict, Feb 5 2010, 7:34pm :

opensuse said,
Workaround: Use Firefox

... and become highly vulnerable to Flash player and Adobe reader frequent 0day flaws because of the lack of sandbox?

no, thanks!

way more secure on IE on vista/7. Sandbox has never been broken, which means it's impossible to get infected by a malware when visiting a site with IE on vista/7, even if there are 0day flaws in IE or flash or adobe reader plugin.

link8506 said,

... and become highly vulnerable to Flash player and Adobe reader frequent 0day flaws because of the lack of sandbox?

no, thanks!

way more secure on IE on vista/7. Sandbox has never been broken, which means it's impossible to get infected by a malware when visiting a site with IE on vista/7, even if there are 0day flaws in IE or flash or adobe reader plugin.

You poor deluded soul, one day you'll learn IE id THE worst thing to ever hit the net

z0phi3l said,
You poor deluded soul, one day you'll learn IE id THE worst thing to ever hit the net
More accurately, the lack of good updates to IE in recent years.

IE's early days were pretty good.

Edited by Kirkburn, Feb 4 2010, 8:46pm :

z0phi3l said,

You poor deluded soul, one day you'll learn IE id THE worst thing to ever hit the net

lol
yeah sure the net would have been greater if netscape was still ruling the world!

And IE9 with its hardware accelerated rendering will be an abomination to the eyes of firefox fanboys! Software rendering rules!

link8506 said,
And IE9 with its hardware accelerated rendering will be an abomination to the eyes of firefox fanboys! Software rendering rules!
Mozilla are working on hardware acceleration for Firefox. They started not long after Microsoft, and are getting reasonably far along with it. Track it here: https://bugzilla.mozilla.org/show_bug.cgi?id=527707 ... Firefox builds with it have been available since November.

Don't you love it when people think they know something, but really don't? :)

Edited by Kirkburn, Feb 4 2010, 8:29pm :

Kirkburn said,
Mozilla are working on hardware acceleration for Firefox. They started not long after Microsoft, and are getting reasonably far along with it. Track it here: https://bugzilla.mozilla.org/show_bug.cgi?id=527707 ... Firefox builds with it have been available since November.

Don't you love it when people think they know something, but really don't? :)


when are they doing this with chrome?

Kirkburn said,
Mozilla are working on hardware acceleration for Firefox. They started not long after Microsoft, and are getting reasonably far along with it. Track it here: https://bugzilla.mozilla.org/show_bug.cgi?id=527707 ... Firefox builds with it have been available since November.

Don't you love it when people think they know something, but really don't? :)

A) Since this is about security, go look up the flaws and exploits used, IE is 20x more secure than Firefox since Version IE7 on Vista compared to Firefox since that same time frame. (Not just patches, known vulnerbilities, but ONES ACTUALLY USED to attack users, especially via Flash and Java that get sandboxed in IE on Vista and Win7 because of Protected mode.)

B) Yes Firefox is working on a GPU accelerated version, but it was NOT started by the main developers, is a SIDE project, and WILL NOT include all the features that the IE team are already demonstrating accelerated because of how the Mozilla engine won't allow for acceleration to be 'tacked' on the way they are developing it.

C) Funny how people think they know stuff, uh? (PS if you want specific technical examples on what I'm referring to in either A or B, try me...)

link8506 said,
way more secure on IE on vista/7. Sandbox has never been broken, which means it's impossible to get infected by a malware when visiting a site with IE on vista/7, even if there are 0day flaws in IE or flash or adobe reader plugin.

link8506 said,
Sandbox has never been broken, which means it's impossible to get infected by a malware when visiting a site with IE on vista/7, even if there are 0day flaws in IE or flash or adobe reader plugin.

link8506 said,
which means it's impossible to get infected by a malware when visiting a site with IE on vista/7

link8506 said,
impossible
Dreams are so pretty.

thenetavenger said,
B) Yes Firefox is working on a GPU accelerated version, but it was NOT started by the main developers, is a SIDE project, and WILL NOT include all the features that the IE team are already demonstrating accelerated because of how the Mozilla engine won't allow for acceleration to be 'tacked' on the way they are developing it.
The concept of "main" developers doesn't make much sense for Firefox in the first place, and it doesn't mean development isn't happening, or that it won't be landing on trunk. Bas is, so far as I can tell, a Mozilla developer.

They're even working on cross platform acceleration via other methods.

By what measure are you suggesting it's "tacked on", or won't include all the features? (Not that I wouldn't expect some limitations - IE only has a single platform top deal with, after all)

Edited by Kirkburn, Feb 4 2010, 10:42pm :

thenetavenger said,

A) Since this is about security, go look up the flaws and exploits used, IE is 20x more secure than Firefox since Version IE7 on Vista compared to Firefox since that same time frame. (Not just patches, known vulnerbilities, but ONES ACTUALLY USED to attack users, especially via Flash and Java that get sandboxed in IE on Vista and Win7 because of Protected mode.)

B) Yes Firefox is working on a GPU accelerated version, but it was NOT started by the main developers, is a SIDE project, and WILL NOT include all the features that the IE team are already demonstrating accelerated because of how the Mozilla engine won't allow for acceleration to be 'tacked' on the way they are developing it.

C) Funny how people think they know stuff, uh? (PS if you want specific technical examples on what I'm referring to in either A or B, try me...)

Many people will argue that Firefox reports more of their vulnerabilities than Microsoft will. If this is true, and I think it is likely, than Firefox is getting burned by people like you who don't read the fine print.

Senlis said,

Many people will argue that Firefox reports more of their vulnerabilities than Microsoft will. If this is true, and I think it is likely, than Firefox is getting burned by people like you who don't read the fine print.

You beat me to the punch on this whole bloated argument. Firefox is actually open about their vulnerabilities and let's people assist in fixing them (open source FTW!), while MS just hides them until somebody else figures them out to make them public.

Come on, you people don't HONESTLY believe that MS fixes those HUGE holes in a matter of days do you? No, they were aware of them, and developing a fix for them all along, they just accelerated it once somebody made it public!

not again!!!!
i switched to chrome last month... not an issue for me....
where can i see list of security flaws for chrome?

still1 said,
not again!!!!
i switched to chrome last month... not an issue for me....
where can i see list of security flaws for chrome?

Been around for 2 years. http://blogs.zdnet.com/security/?p=1858

ccoltmanm said,

Been around for 2 years. http://blogs.zdnet.com/security/?p=1858


Thats an old article.. those were the issues when chrome was released.

still1 said,
Thats an old article.. those were the issues when chrome was released.

But he probably uses it to convince people that Chrome is horrible and to use Opera instead!

Disclaimer: I have not actually looked at the article, just felt like starting ****.