Microsoft investigating new IE browser vulnerability

Summary:Microsoft's security response team is investigating reports of a potentially dangerous code execution vulnerability in its flagship Internet Explorer browser.

Microsoft's security response team is investigating reports of a potentially dangerous code execution vulnerability in its flagship Internet Explorer browser.

The company warned that an attacker could host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.

Microsoft's Jerry Bryant said the company is not aware of any attacks related to this vulnerability.

"We have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue," Bryant said.

follow Ryan Naraine on twitter

From the MSRC blog:

The issue in question involves the use of VBScript and Windows Help files in Internet

Explorer. Windows Help files are included in a long list of what we refer to as “unsafe file types”. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system.

Although this issue has been publicly documented, Microsoft has not yet provided pre-patch mitigation guidance or workarounds for affected customers.

UPDATE: I'm told that Microsoft will issue a formal security advisory sometime today to provide more details on affected platforms and a workaround to help IE users prevent winhlp32.exe from launching.

Topics: Software, Browser, Microsoft, Operating Systems, Security, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.