Tag Archives: Internet Explorer

Severe IE vulnerability threatens Windows XP users

0
Posted by Tech Paranoia on March 1, 2010 – 10:02 am
Filed under Security, Software
Tagged as , , ,

News of a newly discovered bug in VBScript and Windows Help files in Internet Explorer that could allow a remote attacker to run an arbitrary command has reached Microsoft on Friday and they immediately sat down to investigate the matter.

After two days, they confirmed that this vulnerability “could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box”, but that there has been no news about attacks exploiting it so far.

Maurycy Prodeus, the security analyst that discovered the vulnerability, says that Windows XP SP3 running IE 8,7 or 6 are vulnerable, and Microsoft assures that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue.

Microsoft is yet to confirm when the fix will be released, but Computerworld reports that Prodeus himself offered a temporary solution: blocking TCP port 445. “However, it is worth to note that blocking this port doesn’t solve the problem, because there might be [an]other attacking vector, for example, uploading an arbitrary file to the victim’s machine at known path location using some third-party browser plug-ins,” he said.

Source: Help Net Security

http://www.net-security.org/secworld.php?id=8935

Microsoft: Emergency IE Patch Coming

0
Posted by Tech Paranoia on January 19, 2010 – 9:02 am
Filed under Patches, exploit
Tagged as , , , , ,

Microsoft has started dropping broad hints that an emergency patch for Internet Explorer will be released very soon to counter targeted attacks and the publication of exploit code for a “browse and you’re owned” vulnerability in its flagship Web browser.

The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend.

The decision to ship the IE patch outside of Microsoft’s scheduled Patch Tuesday releases follows the release of exploit code into the Metasploit attack tool.

The Metasploit code only works against Internet Explorer 6 but there are claims in the security research community that the vulnerability has been successfully exploited on IE7 (Windows Vista) as well as IE6 and on Windows XP.

The vulnerability was discovered during zero-day attacks against several big-name U.S. companies, including Google, Adobe and Juniper Networks. During those attacks, data-stealing malware exploited the flaw against systems running IE6 on Windows XP.

Microsoft says the ongoing attacks remain “targeted to a very limited number of corporations” and are only effective against Internet Explorer 6. However, with the exploit code now in Metasploit, malware purveyors could begin tinkering with exploits geared to newer versions of the browser.

Now, Microsoft is imploring its customers to upgrade immediately to IE 8. A special guidance page has been published to offer information on how to mitigate this vulnerability and avoid attacks.

Microsoft’s Security Research & Defense team has created and released a one-click “Fix It” tool to allow users to enable DEP (Data Execution Prevention) on older versions of the browser. DEP, a crucial anti-exploit mitigation, is enabled by default on IE8 only.

Source: ThreatPost

Microsoft knew of just-patched IE zero-day for months

0
Posted by Tech Paranoia on December 11, 2009 – 12:30 pm
Filed under Patches
Tagged as , , ,

Microsoft may not have hustled as fast as researchers thought when the company patched a zero-day bug in Internet Explorer (IE) just 18 days after exploit code went public.

According to VeriSign iDefense, Microsoft had information about the browser bug nearly six months before the researcher dubbed “K4mr4n” posted attack code to the Bugtraq security mailing list on Nov. 20.

iDefense’s Zero Day Initiative (ZDI), one of the two best-known bug bounty programs, reported the vulnerability to Microsoft on June 9, 2009, iDefense noted in an advisory published Wednesday.

IE6 and IE7, two versions of Microsoft’s browser that collectively accounted for approximately 39% of all browsers used last month, were the only editions affected by the vulnerability. The ancient IE 5.01 and the new IE8 were immune from the threat.

Three days after K4mr4n publicized the exploit proof-of-concept, Microsoft confirmed that the attack code worked, and issued a security advisory that provided some information about the bug. At no time, however, did it acknowledge it knew of the vulnerability, only going as far as to say it was investigating the issue.

Source: Computerworld

Microsoft patch batch includes fix for zero-day IE flaw

0
Posted by Tech Paranoia on December 9, 2009 – 11:00 am
Filed under Patches
Tagged as , ,

Microsoft delivered its monthly security update on Tuesday to rectify 12 vulnerabilities, five of which are present in Internet Explorer (IE) and comprise the most pressing patch to deploy.

That bulletin – MS09-072 – is the only patch that carries both a “critical” severity rating and Exploitability Index grade of one, meaning consistent exploit code is likely. One of the five flaws was a zero-day, for which proof-of-concept code was publicly available.

“[The patch] is at the top of deployment priority list this month,” Jerry Bryant, senior security program manager at Microsoft, said on Tuesday in a blog post.

Microsoft originally confirmed the flaw, rated critical on all Windows platforms except Server 2008, in an advisory it released late last month. Experts anticipate malware writers will work quickly to create exploits for the bug considering the holiday shopping season is in full swing.

Source: SC Magazine UK

Microsoft to cover Windows, Internet Explorer and Office on Patch Tuesday

0
Posted by Tech Paranoia on December 7, 2009 – 10:00 am
Filed under Patches
Tagged as , ,

Microsoft is to release six new security bulletins addressing 12 vulnerabilities in Windows, Internet Explorer and Microsoft Office on tomorrow’s Patch Tuesday.

Jerry Bryant, security program manager for Microsoft Security Response Center, wrote in the company blog that three of the bulletins have a maximum severity rating of critical and three have a maximum severity rating of important.

Bryant said: “To help customers plan for their deployment of these updates, I want to specifically call out that they touch all supported versions of Windows and IE. On the Office side, the bulletins impact Project, Word and Works 8.5. All of the updates for Windows will require a restart so please plan accordingly.”

A vulnerability addressed in late November in Internet Explorer will also be covered.

Source: SC Magazine UK

IE8 bug makes “safe” sites unsafe

1
Posted by Tech Paranoia on November 20, 2009 – 9:19 am
Filed under Security, Software
Tagged as ,

The latest version of Microsoft’s Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe.

The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe, according to two Register sources, who discussed the bug on the condition they not be identified. Microsoft was notified of the vulnerability a few months ago, they said.

Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that’s designed to prevent XSS attacks against sites.

Source: The Register