Microsoft Adds Security Fix To IE 8

Microsoft added a few final tweaks to its Internet Explorer 8 beta, resolving security issues in the browser aimed at preventing attackers from executing malicious attacks remotely on Windows. The fix addressed a security flaw brought to light by security researchers Alexander Sotirov and Mark Dowd during the August BlackHat USA conference in Las Vegas.

Specifically, the error allowed them to bypass the Windows Vista defense-in-depth security layers that combined Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) in attacks targeting the IE browser by using the .Net framework to exploit a memory corruption vulnerability within the iexplore.exe process and subsequently run arbitrary code.

Microsoft said that the latest release of IE 8 on Windows Vista includes a block for the .Net+ASLR bypass mechanism from malicious Web sites, which restores the ASLR and the DEP back to the browser. The updated IE8 includes a function that regulates the loading of the .Net MIME filter, preventing it from loading in the Internet and Restricted Sites Zones, and making it more challenging for attackers to launch malicious code after discovering security vulnerabilities.