Microsoft warns on IE attacks
Microsoft has issued a workaround fix for an attack against IE, saying the threat was “limited”.
The attacks take advantage of a flaw in Cascading Style Sheets in Internet Explorer, which could let hackers execute code. While IE6, 7 and 8 are affected, attacks have so far only hit the two older versions on Windows XP. IE9 betas are not affected.
“As of now, the impact of this vulnerability is extremely limited and we are not aware of any affected customers,” said security communications manager Jerry Bryant, writing in the Microsoft security blog.
Bryant explained that the site hosting the malware has been taken down. “The exploit code was discovered on a single website which is no longer hosting the malicious code,” he noted. “When a website is discovered to host malicious software, we work through legal channels to take the site down.”
The attacks can be blocked by Microsoft’s Data Execution Protection, which is enabled by default on IE8 and can be flipped on for IE6 and IE7. Microsoft said attackers would find it difficult to get around DEP, and attempting it will probable cause IE to crash.
Microsoft also suggested a workaround using a local CSS file.
Bryant said the flaw did “not meet the criteria” for an out-of-band patch, so a fix will most likely arrive as part of Microsoft’s regular patching cycle.