Microsoft Warns of IE Security Vulnerability

Microsoft is investigating claims of an Internet Explorer vulnerability that could allow an attacker to access victims' files.

While Microsoft said it is not aware of any attacks targeting the vulnerability, the company warned Feb. 3 that if a user is not running IE in Protected Mode or is running IE on a Windows XP machine, an attacker may be able to access files with an already known file name and location.

According to the company, the vulnerability is the result of content being forced to render incorrectly from local files in such a way that information may be exposed to malicious Websites.

"At this time, we are unaware of any attacks attempting to use this vulnerability," the advisory said. "We will continue to monitor the threat environment and update this advisory if this situation changes."

The affected versions are Internet Explorer 5.01 Service Pack 4 (SP 4) on Windows 2000 Service Pack 4; IE 6 SP 1 on Windows 2000 SP 4; and IE 6, 7 and 8 on supported versions of Windows XP SP 2, Windows XP SP 3 and Windows Server 2003 SP 2.

"Customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode, which protects from this issue," blogged Jerry Bryant, senior security communications lead for the Microsoft Security Response Center. "Windows XP users, or users who have disabled Protected Mode, can help protect themselves by implementing Network Protocol Lockdown. We have created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems."

In addition, Microsoft suggests users set Internet and local intranet settings to High so there is a prompt before running ActiveX controls or active scripting. Instructions on how to do that are contained within the advisory.