When he spoke with Microsoft about his attack, Medina says, the company told him that it could not patch some of the flaws he exploited. In some cases, this was because the flaws were closely related to intended features of the browser. In other cases, the company worried that any fix would in turn open up additional security holes.
Medina says his attack currently works for all versions of Internet Explorer.
However, “customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue, as they benefit from Internet Explorer Protected Mode, which protects from this issue,” said Jerry Bryant, senior security communications manager lead at Microsoft, in a statement. He added that Microsoft has provided a set of instructions that XP users can implement to protect their computers. He notes, however, that Microsoft has not seen Medina’s attack in use in the wild.
Independent security researcher Dino Dai Zovi notes that many Internet Explorer users may not realize that they’re surfing the Internet without Protected Mode in place. Dai Zovi explains that users often disable Vista’s user account control, a built-in security feature that aims to make users aware of the privileges that applications are exercising, because they find its prompts annoying. What they often don’t realize, however, is that doing this also disables Protected Mode Internet Explorer, since it relies on the same underlying mechanism. “Most users would probably want the added security protection that Protected Mode Internet Explorer provides,” Dai Zovi says.
Medina acknowledges that his attack doesn’t currently work in Protected Mode, but says this mode once again only protects against a single aspect of the threat. He’s been working recently to see if he can bypass Protected Mode: “If not me, someone else will do it.”