Browser Security News

A researcher posted a vulnerability against [tag]IE6[/tag] yesterday that uses random input to create a heap overflow in a [tag]Direct Animation[/tag] object. Our team is testing a security update right now to fix this overflow, but in the meantime you can keep your systems safe from this vulnerability by disabling ActiveX controls in the internet zone. If you’re a desktop administrator responsible for a set of desktops, you can publish a more tactical fix by disabling the control. If you have the ability to set registry keys on user desktops, the following key will disable the vulnerable object:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]

“Compatibility Flags”=dword:00000400

…The good news in yesterday’s disclosure is that [tag]IE7[/tag] is safe against this attack and many of the other recent attacks on IE6. The input of the security community had a deep impact on the security strategy for IE7. As we worked with researchers to strengthen the core of the IE7 codebase against threats, we also eliminated threats on the periphery by reducing the attack surface that we expose to malicious websites. Most notably, IE7 reduces attack surface by disabling most ActiveX controls on the system by default. We actually went a step further with Direct Animation control and effectively remove it when you install IE7. IEBlog : Direct Animation Overflow and IE7