Microsoft: upgrade to IE8, even though it's vulnerable

Software giant admits IE8 is affected by zero-day exploit - but wants users to upgrade anyway

Barry Collins
18 Jan 2010

Microsoft is advising its customers to upgrade to Internet Explorer 8 - even though the latest version of its browser is vulnerable to a serious security attack.

The software giant issued a statement urging people to upgrade their browser, after the zero-day exploit that was used to attack companies such as Google went public.

According to Microsoft's security advisory: "the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

But although Internet Explorer 6 has been the source of attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.

Nevertheless, Microsoft is still urging its customers to upgrade their browser to the latest version. "Customers using Internet Explorer 8 are not affected by currently known attacks and exploits due to the improved security protections in IE8," the company claims.

"To help protect our customers, we recommend that all customers immediately upgrade to Internet Explorer 8. Customers should also consider applying the workarounds and mitigations provided in our Security Advisory such as putting Internet zone security settings to High."

Other measures recommended by Microsoft include running the browser in Protected Mode and ensuring users aren't running with administrator privileges.

Microsoft says it's considering issuing a fix outside of the regular Patch Tuesday cycle to address the issue.

Read more about: