By exploiting the zero-day bug, hackers could either get Internet Explorer to run malicious code remotely, or crash the browser. Microsoft has promised a fix.
For the second time in two days, Microsoft Corp. on Wednesday acknowledged a zero-day bug in Internet Explorer, but this time promised to patch the problem.
"We have confirmed this vulnerability," wrote Lennart Wistrand, lead security program manager, on the Microsoft Security Response Center (MSRC) blog. "I am writing a Microsoft Security Advisory on this…but we wanted to make sure customers knew we were aware of this and we will address it in a security update."
Secunia tagged the vulnerability with its second-most-dire "highly critical" label.
Although IE 7 and January edition of the IE 7 Beta 2 Preview are vulnerable to attack, Microsoft's Wistrand said that the March 20 version of IE 7's preview is not. TechWeb confirmed that the current IE 7 Beta 2 Preview, available for downloadhere, is safe, by independent testing using the proof-of-concept code that has been posted publicly.
Microsoft touts IE 7 as substantially more secure from attack than earlier versions; last month, in fact, Gary Schare, director of product management for IE, said that the final edition of 7 would "put an end to the last bastion of drive-by downloads."
Scripting vulnerabilities have plagued IE for more than two years. The most recent was a November 2005 flaw that was used by a large number of spyware sites to secretly install software on users' PCs
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.