Wednesday 10 March 2010

IE6: Another serious vulnerability

Well, you had your chance.... Chances for that matter. It's really time to upgrade to IE8.... Today!

Microsoft has just released another security advisory for IE6 that allows Remote Code Execution yesterday which can be found here:


The reason I say you have had your chance (or in this case chances) Microsoft released an update in January to mitigate this issue hefty (which is now in the wild) as Jerry Bryant from Microsoft Security team highlights;

"At this time, we are aware of targeted attacks seeking to exploit this vulnerability against Internet Explorer 6. Internet Explorer Protected Mode in Internet Explorer 7 running on Windows Vista helps to mitigate the impact of this issue. "

Meaning, that this exploit is now in the wild, and if you are running IE6 or the standard configuration of IE7, you are now pretty vulnerable to  attack.

You can find the Microsoft Security update MS010-002 here:

And for a description of the issue and some of the risks associated with this latest (greatest) IE6 issue you can read the CVE details here:


And, if you need to fix the issue (by enabling and turning DEP for IE) you can choose the Microsoft "Fix IT" (sounds familiar??) option here:


Note: this Microsoft Fix-IT approach will download an MSI onto your desktop. This Microsoft Installer package (MSI file) will update your local compatibility database with SDB file that will switch on DEP for your browser. Note: Enabling DEP may cause application issues for other applications and within IE itself.

Or, you could just upgrade to IE8 then..



No comments: