Microsoft says Vista, IE7 defenses can overcome poor code
In Windows Vista and Windows Server 2008, IE7 runs in "Protected Mode," meaning the browser operates with restrictive privileges, Michael Howard, a senior security program manager at Microsoft, wrote Thursday on the company's Security Development Lifecycle blog.
In other words, the browser withholds rights for unknown sources to silently install programs or modify data.
"Protected Mode significantly reduces the ability of an attacker to write, alter or destroy data on the user's machine or to install malicious code," according to Microsoft's Internet Explorer Developer Center website.
In addition, platforms running Server 2003 and 2008 contains the Internet Explorer Enhanced Security Configuration, which disables vulnerable code from running, Howard wrote.
Microsoft on Wednesday delivered an emergency fix to rectify a data-binding vulnerability, which was being exploited to install information-stealing trojans on victims' machines. Security firms had reported that thousands of websites worldwide had been compromised with the attack code, most of them based in Europe and Asia.
Dave Marcus, director of security research and communications at McAfee Avert Labs, said researchers are still spotting active attacks targeting the flaw, including one in which malware writers embedded a malicious ActiveX control into a Word document.
"You think you're opening up a Word document and what's running in the background is trying to get you to a site on Internet Explorer," without the victim's knowledge, Marcus told SCMagazineUS.com on Friday.
Howard said: "I think this bug is a great example of how you will never get your code 100 percent right, so multiple defenses are critical."
In his analysis of the vulnerability, he also explained that the vulnerability "was an invalid pointer dereference in MSHTML.DLL, when the code handles data binding." Data binding is the way in which applications present and interact with data.
Howard added the the flaw was not related to a heap-based buffer overflow, but instead involved a memory error.