News

Microsoft Issues Workaround for IE 6 and 7 Flaw

• By Jabulani Leffall
• 03/15/2010

Microsoft published a workaround for an in-the-wild vulnerability in Internet Explorer 6 and 7, described last week.

The vulnerability, which doesn't affect IE 8, was first disclosed in a March 9 security advisory, which suggested that the bug could enable remote code execution-type exploits. Microsoft is considering releasing an out-of-band fix. On Friday, the company added a workaround to the advisory.

According to Redmond, IT administrators can leverage the workaround by "disabling the peer factory class through the modification of a registry key." To simplify matters, Microsoft pointed IT administrators to a Microsoft Fix It link that the company says will automate the workaround for Windows XP and Windows Server 2003 customers.

In an e-mailed statement, Microsoft Security Response Center spokesman Jerry Bryant said that his group is "working hard to produce an update which is currently in the testing phase."

Microsoft's continued testing of the vulnerability is "a critical and time-intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows," Bryant said.

He also warned that customers should test the workaround "thoroughly before deploying as certain functionality that depends on the peer factory class...may be affected." Such functions include printing a document from a Web page using IE or saving a Web page file during an IE session. Those two functions in particular, according to Bryant, may be affected by the installation of the workaround.

Andrew Storms, director of security at nCircle, believes that much like the IE zero-day bug in January, which received a lot of press because of its involvement in the "Aurora" exploit that hit Google, this bug will get what he called swift "mitigation assistance."

"The good news is that, at this time, IE 8 is not affected," Storms said. "There's no doubt that this new bug will be fodder for the ongoing security discussion that is a key part of the browser wars."

Bryant didn't specify if or when Microsoft's investigation might yield an out-of-band update. "We never rule out the possibility of an out-of-band update," he said regarding this IE bug.