New Year, Same Old IE Problem

Sue Marquette Poremba

I have something to admit: My browser of choice is Internet Explorer. I like the interface better than the other browsers out there. I also know that all of the other browsers have their security downfalls, so it's always a matter of being careful. But I have to say, with the news that came out at the end of 2010 regarding more IE problems, it may be time to totally make the switch.


In December, Microsoft announced that all versions of IE-not just the extremely buggy IE6-are vulnerable to a hole that the Microsoft tech blog stated

could lead to unauthorized remote code execution inside the iexplore.exe process.

Or, as described on the Naked Security blog:

The vulnerability relies on a memory-usage bug when Internet Explorer processes a Cascading Style Sheet file. (CSS is the way you specify the look and feel of the HTML which makes up your web pages.) If the style sheet imports itself - something which would not normally be useful, since the CSS file is already loaded - then IE makes a mess of memory. This can be exploited to cause remotely-supplied code to be run without the usual security checks associated with IE downloads.
Sadly, this new exploit seems to work against all supported versions of Internet Explorer, right up to IE 8 on Windows 7, despite security improvements in Microsoft products such as Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR).

Because the next patch Tuesday isn't scheduled until Jan. 11, we welcomed 2011 with yet another IE security issue. It's frustrating. Maybe it's a hint that my New Year's resolution should be to rethink browser use.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.