2010 hasn"t seen a particularly good start to the year for Microsoft"s flagship browser, Internet Explorer.
Microsoft officials are now warning that a new vulnerability has been discovered in Internet Explorer running on Windows XP. Secunia, a Danish computer security service provider, claims the vulnerability affects Internet Explorer 7 on a fully patched Windows XP SP3 system but that other versions may also be affected. Microsoft officials confirmed the flaw could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.
Microsoft confirmed the issue involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what Microsoft refers to as “unsafe file types”. The file types are designed to invoke automatic actions during normal use of the files but can also be used by attackers to try and compromise a system. In a company blog posting on Sunday, Microsoft"s Senior Security Communications Manager - Jerry Bryant, confirmed the company is still investigating the issue. "We are not aware of any attacks seeking to exploit this issue at this time and in the current state of our investigation, we have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue," said Bryant.
Microsoft"s Internet Explorer has had a rough start to the year:
January
The year started off badly when a vulnerability was unveiled after Google went public that they were targeted in a sophisticated cyber-attack. The breach, involving Internet Explorer 6, resulted in the theft of intellectual property. Both the French and German governments warned their populations to cease using Internet Explorer due to the un-patched flaw. The flaw was later patched in a rare out of band security update. If that wasn"t bad enough a new flat in Internet Explorer was discovered just a day after the out of band patch.
February
If January was a month to remember then February certainly wasn"t much better. At the beginning of the month a new vulnerability was discovered, affecting IE 5.01 and IE 6 on Windows 2000, IE 6 on Windows 2000 SP4 and IE6, IE7 and IE8 on Windows XP and Windows 2003. The software giant patched the flaw in a bumper patch Tuesday which contained 13 bulletins - five rated Critical, seven rated Important, and one rated Moderate - addressing 26 vulnerabilities.