Microsoft late yesterday issued Advisory 979352 with security advice for those using the Internet Explorer browser. A worrisome unpatched vulnerability in some versions of IE has been linked to the “Aurora” attacks against Google and more than two dozen other companies.
In short:
1. If you’re using IE 6 or 7, upgrade to IE 8.
2. If you’re running Windows XP with Service Pack 2, upgrade to Service Pack 3.
3. Turn on Data Execution Prevention if it is not already on.
The high profile attacks last week were all on corporate targets and Internet Explorer 6. Proof-of-concept code that exploits the vulnerability in Internet Explorer 7 on XP and Vista has been made public, but there are no known attacks, Microsoft said.
Jerry Bryant, writing on the Microsoft blog, seemed to suggest that the company would release an out-of-cycle patch (which is to say before the February patch Tuesday):
“We want to let customers know that we will release this security update as soon as the appropriate amount of testing has been completed. While we cannot yet give a date of when that will be we will keep customers updated.”
The computer security response teams in France and Germany have called on users to switch to a browser other than Internet Explorer until the vulnerability is patched. Although that might be a fairly easy fix for consumers, enterprise users often need Internet Explorer to communicate with IE-only applications or sites.
The U.S. Computer Security and Response Team Vulnerability Note VU#492515 can be found here.
Tom Kelchner