Internet Explorer vulnerability could affect millions

What happens, says Core CTO Ivan Arce, is that when affected versions of Internet Explorer are used to access a website, the browser does not apply the right security permissions – allowing unknown sites or applications to be treated as trusted URLs. "This is a tangible threat to millions of individuals and organisations … and the discovery of this vulnerability in IE highlights the reality that no vendor is immune to the perils of client application security," comments Arce. "This issue also illustrates the fact that a group of seemingly unrelated weaknesses can be combined to construct attacks that are effective beyond the narrow scope of exploiting just a single bug," he adds. "Likewise, the available workarounds show that, beyond simply deploying patches, a combination of security defences and mitigation strategies can effectively prevent attacks." CoreLabs says the flaw affects IE versions 5, 6, and 7 under Windows 2000/2003/XP and Vista. Although it is present, the vulnerability cannot be exploited when a vulnerable version of IE is used in Protected Mode. Protected Mode is enabled by default in IE 7 for Vista. At the time of the original report, Internet Explorer 8, then in the pre-release Beta phase, was also found to be vulnerable. However, the problem was fixed in the commercially released version of IE8.