RSS Alerts

Share

More services

Related Links

Related Stories

  • Microsoft promises Internet Explorer patch as Windows zero-day surfaces
    Microsoft has promised an Internet Explorer out-of-band patch for the zero-day vulnerability discovered earlier this month. In the meantime, a trusted researcher has highlighted a flaw in all versions of Microsoft Windows that could lead to privilege escalation.
  • FireEye claims protection against Internet Explorer zero-day attack
    Security appliance company FireEye has said that its products can detect the latest zero-day vulnerability in Internet Explorer without any software patches.
  • Internet Explorer zero-day code goes public
    The Internet Explorer exploit code used in the Operation Aurora attack against Google and other technology companies has made it into the public domain, and has been incorporated into the Metasploit penetration testing tool, it was revealed this weekend.
  • Internet Explorer vulnerability used in Google attack
    More details are emerging concerning the concerted attacks on over 20 technology companies, including Google, that were revealed earlier this week. The attackers targeted a vulnerability in Internet Explorer, according to Microsoft. It is now investigating the flaw, which could allow attackers to execute arbitrary code.
  • Firefox tops apps security vulnerability list for 2009
    The Firefox browser topped the list of software applications with most security vulnerabilities in 2009, according to a report from application whitelisting firm Bit9.

Top 5 Stories

News

Internet Explorer zero-day vulnerability spreads to Microsoft Office as fixes surface

20 January 2010

Microsoft has scheduled an out-of-band patch for the zero-day vulnerability in Internet Explorer, just as other fixes for the problem began to surface. The company has also admitted for the first time that the attack could be used to compromise a computer using Microsoft Office.

Microsoft, which announced yesterday that it would create an out-of-band patch for the Internet Explorer flaw, today issued further guidance on timelines. The patch will be issued tomorrow, the company said this morning. "We are planning to release the update as close to 10:00 a.m. PST (UTC -8) as possible," said Microsoft representative Jerry Bryant.

Bryant confirmed that the attack, previously thought to affect only Microsoft Internet Explorer, can be used to exploit Microsoft Office files, if a malicious Active X control is embedded in the file. The company has advised users to disable Active X in Microsoft Office to remediate this problem.

Microsoft also addressed new reports of a workaround that bypasses the Data Execution Prevention (DEP) technology that, when turned on, is meant to stop the zero-day exploit from working. Proof-of-concept code has been released demonstrating that workaround, although Microsoft hasn't seen any exploits in the wild yet.

"We have analyzed the proof-of-concept exploit code and have found that Windows Vista and later versions of Windows offer more effective protections in blocking the exploit due to Address Space Layout Randomization (ASLR). On Windows XP, attackers could make the bypass techniques more reliable," Microsoft said.

McAfee released a special version of its Stinger malware cleansing tool specifically for the Internet Explorer vulnerability, which emerged last week. Called Aurora Stinger, it detects and removes threats associated with the malware attacks, which threaten Internet Explorer 6 exclusively today, but which could theoretically be developed into attacks on later versions of the browser.

Aurora Stinger also includes a link to the McAfee Global Threat Intelligence service, a cloud-based system that will deliver information on any newly discovered variants in real time to the software tool.

Such is the urgency of the zero-day flaw that at least one unofficial patch has begun circulating for the vulnerability, according to McAfee.

"Patching is of course a good idea, just don't apply any patch," said McAfee CTO George Kurtz. "These unofficial patches may seem like a good idea as they appear to provide immediate protection, but applying a patch from an unknown source for software that was created by someone else just isn't a good idea."

Developers have released unofficial patches for Internet Explorer in the past. The Zero Day Emergency Response Team, which has not been active in three years, released several of its own patches for Microsoft products between 2006 and 2007.

This article is featured in:
Application Security • Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012