Microsoft warns of zero-day IE hole on Patch Tuesday

From CNET News.com: Microsoft warned of a new vulnerability in Internet Explorer 6 and IE 7 that has been targeted in attacks, and released fixes for eight holes in Windows and Office as part of Patch Tuesday.

The company issued Security Advisory 981374, which addresses a privately disclosed vulnerability. The hole could allow an attacker to take control of a machine if a user visited a malicious Web site, Microsoft said.

There are some features that could mitigate the effects of an attack. For instance, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone by default, the company said.

"Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems helps to limit the impact of the vulnerability as an attacker who successfully exploited this vulnerability would have very limited rights on the system," the advisory said. "By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone."

The advisory also provides information on workarounds. Microsoft suggests that IE 6 and IE 7 users upgrade to IE 8 immediately.

View: Article @ Source Site