Black Hat Hackers Conference Confirms New IE Flaw

Microsoft has confirmed a flaw in Internet Explorer could be used by hackers to access the files on a user's computer. The flaw was demonstrated at a security conference this week.

The man who discovered the flaw, Jorge Luis Alvarez Medina of Core Security Technologies, says that so far as he can tell, it's not something which can be easily patched. The good news is that Windows Vista and Windows 7 both have default options for Internet Explorer which can block the problem.

Medina first noted the existence of the flaw last week, but held back details until this week's Black Hat Conference. That's a regular event held in several international cities throughout the year which brings together security professionals and software manufacturers.

Multiple Flaws Add Up To Big Problem

As part of his presentation, Medina noted that the problem is down to a series of design flaws in the browser. Individually they aren't problematic, but a hacker could combine the loopholes to access the computer's hard drive.

For understandable reasons, Medina only demonstrated how an attack might work and didn't go into detail publicly about what exactly the individual problems were or how they would be exploited. He did note that the main issue at stake was that Internet Explorer doesn't always behave the same way when accessing the same resources. (Source: computerworld.com)

Microsoft Touts Protected Mode

Microsoft has issued a security notice confirming that it is investigating the report and, as usual, says it will release a security update if appropriate. It noted that the browser's Protected Mode will prevent the problem, a mode which comes by default on all versions of Internet Explorer in Vista and Windows 7. It also says that MS Outlook will block an attempt to exploit the bug.

For those still using Windows XP, the firm notes that the exploit will only work if a user visits a specially crafted webpage, meaning taking care about clicking on suspicious or unsolicited links will limit risk. It also advises tweaking Internet Explorer's security settings so that both the Internet and local Intranet zones are set to "High". (Source: microsoft.com)

Medina suggested that because the flaw is part of the browser's design rather than a simple mistake, it's worth considering using a rival browser for added security (or upgrade to IE8 if you can).