But the fact of the matter is that Microsoft has already addressed this specific security hole, namely the HTML Objects Memory Corruption vulnerability. While the flawed code still exists in the browser, the software giant has already taken the necessary steps in order to ensure that the mitigations set in place on Windows Vista and Windows 7 could no longer be circumvented when it released the gold build of IE8.
“In the final release, a mitigation was put in to place to protect against ASLR+DEP .NET bypass used in the contest, so right now, there is no known way to attack this issue in the default configuration of IE 8 on Windows Vista. Regardless, MS09-019 addresses the underlying vulnerability which is rated as Critical on Windows XP and Windows Vista but due to IE 8’s built in mitigations, it only rates as a “3” for Windows Vista on the Exploitability Index while Windows XP is rated as “1”,” explained Jerry Bryant, Sr. security program manager lead.
In addition, users already running the latest public development milestone of Windows 7, Release Candidate Build 7100 have nothing to worry, since the vulnerability does not impact IE8 on top of this specific platform version. However, for testers that are still running Beta Build 7000 of Windows 7 and Windows Server 2008 R2 the updates can be accessed via the links below.
- Security Update for Internet Explorer 8 in Windows 7 Client Beta
- Security Update for Internet Explorer 8 in Windows 7 Client Beta for x64-based Systems
- Security Update for Internet Explorer 8 in Windows 7 Server Beta 64-bit Itanium Edition
- Security Update for Internet Explorer 8 in Windows 7 Server Beta for x64-based Systems
Internet Explorer 8 (IE8) RTW is available for download here (for 32-bit and 64-bit flavors of Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008).
No comments:
Post a Comment