Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

When he spoke with Microsoft about his attack, Medina says, the company told him that it could not patch some of the flaws he exploited. In some cases, this was because the flaws were closely related to intended features of the browser. In other cases, the company worried that any fix would in turn open up additional security holes.

Medina says his attack currently works for all versions of Internet Explorer.

However, “customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue, as they benefit from Internet Explorer Protected Mode, which protects from this issue,” said Jerry Bryant, senior security communications manager lead at Microsoft, in a statement. He added that Microsoft has provided a set of instructions that XP users can implement to protect their computers. He notes, however, that Microsoft has not seen Medina’s attack in use in the wild.

Independent security researcher Dino Dai Zovi notes that many Internet Explorer users may not realize that they’re surfing the Internet without Protected Mode in place. Dai Zovi explains that users often disable Vista’s user account control, a built-in security feature that aims to make users aware of the privileges that applications are exercising, because they find its prompts annoying. What they often don’t realize, however, is that doing this also disables Protected Mode Internet Explorer, since it relies on the same underlying mechanism. “Most users would probably want the added security protection that Protected Mode Internet Explorer provides,” Dai Zovi says.

Medina acknowledges that his attack doesn’t currently work in Protected Mode, but says this mode once again only protects against a single aspect of the threat. He’s been working recently to see if he can bypass Protected Mode: “If not me, someone else will do it.”

7 comments. Share your thoughts »

Credit: Technology Review

Tagged: Web, security, Microsoft, Black Hat, browsers, Internet Explorer

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me