Internet Explorer 8 is safe this time, while the vulnerability could allow for remote code execution when a user visits a website with the malicious inserted in it. Full details on the issue can be seen in Microsoft Security Advisory (981374).

The update is included with Security Bulletin MS10-018 and the flaw is rated as critical, and was originally expected during the 13th April update cycle.

“The Internet Explorer team accelerated testing of this update due to the growing attacks against the publicly disclosed vulnerability” wrote Microsoft Security Response Center Group Manager Jerry Bryant.

The update is available from Microsoft Update, or will be pushed out to Windows users who have automatic updates turned on.

A new security advisory was posted by Microsoft last Wednesday, notifying users of a potential flaw in Internet Explorer which could allow third-parties access to data.

“Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location” said the advisory from Microsoft.

At this stage, there are no reported attacks using this vulnerability, but it is bound to be only a matter of time.

A patch is expected in a few days, on Tuesday 9th February 2010.

“This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights” said a note from Microsoft.

The update includes fixes for IE5.01, IE6, IE7, and IE8 on platforms from Windows 2000 to the newely released Windows 7.

The updated is rated critical and will be pushed out to all users who have Windows Update turned on. Alternatively, system administrators can find out more information plus download links in the Security Bulletin MS10-002.

Microsoft has hit back at claims, noting that the attacks could be avoided if the security zone settings were set to high.

“Using Internet Explorer in ‘secure mode’, as well as turning off Active Scripting, makes attacks more difficult but can not fully prevent them,” BSI said in a further statement.

Microsoft has acknowledged the vulnerability, which is present in all versions of Internet Explorer, including IE8 on Windows 7.

Microsoft is expected to release a patch in the coming weeks.

“Google Chrome Frame is an early-stage open source plug-in that seamlessly brings Google Chrome’s open web technologies and speedy JavaScript engine” and currently works in Internet Explorer 6, 7, and 8.

This plug-in would allow organisations to keep Internet Explorer 6, but still allow users to see pages that use HTML5 and advanced CSS features.

More information can be found on the Google Chrome Frame website.

The zero day exploit affects Internet Explorer 6 and 7 users when they visit an infected web site if they are using either Windows XP or Windows 2003.

Windows Vista, Windows 7 and Internet Explorer 8 users are safe for now. No patch is currently available but Microsoft has posted a workaround for the exploit.

A patch is in the works, but no details on when it will be released have been announced.

Links:

• Enable workaround
• Disable workaround

The patch which was marked as critical was pushed out using Windows Update last Tuesday, but there are still millions of unpatched versions out there.

The exploit allows remote attakers the ability to install spyware on vulnerable systems.

Users and system administrators are urged to make sure they install all critical patches from Microsoft.

Chapin Information Services conducted 21 security tests on Opera 9.62, Firefox 3.0.4, Internet Explorer 7, Safari 3.2, and Google Chrome 1.0. The results were not good.

Opera and Firefox fared the best, both passing 7 tests, with Internet Explorer 7 passing 5 tests. Both Safari and Google Chrome only passed 2 tests each.

It looks like browsers makers have a lot of work to do. Full results and details on each test can be found on the Chapin Information Services website.