Members
  • Total Members: 12816
  • Latest: t114563
Stats
  • Total Posts: 28524
  • Total Topics: 8240
  • Online Today: 815
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Microsoft confirms new exploit in Internet Explorer 6, 7 & 8  (Read 1089 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Microsoft late Wednesday confirmed that all versions of Internet Explorer (IE) contain a critical vulnerability that attackers can exploit by persuading users to visit a rigged Web site.

Although the company said it would patch the problem, it is not planning to rush out an emergency update.

"The issue does not currently meet the criteria for an out-of-band release," said Carlene Chmaj, a spokeswoman for the Microsoft Security Response Center (MSRC), in an entry on the center's blog. "However, we are monitoring the threat landscape very closely and if the situation changes, we will post updates": http://blogs.technet.com/b/msrc/archive/2010/12/22/microsoft-releases-security-advisory-2488013.aspx

Chmaj also downplayed the threat posed by the bug. "Currently the impact of this vulnerability is limited and we are not aware of any affected customers or active attacks targeting customers," she said.

The vulnerability in IE6, IE7 and IE8 surfaced several weeks ago when French security firm Vupen disclosed a flaw in IE's HTML engine. Tuesday, researchers posted a video demonstration of an attack, and added a reliable exploit to the Metasploit penetration toolkit.

That exploit used a technique revealed earlier this year by McAfee researchers that defeats a pair of important Windows defensive technologies -- ASLR (address space layout randomization) and DEP (data execution prevention) -- designed to stymie most attacks.

The appearance of the Metasploit attack code may have been what prompted Microsoft to take action, as the company's more technical "Security Research & Defense" blog highlighted the Metasploit module: http://blogs.technet.com/b/srd/archive/2010/12/22/new-internet-explorer-vulnerability-affecting-all-versions-of-ie.aspx

In that blog, Microsoft security software engineer J. Serna also confirmed that IE's "mscorie.dll" file does not always automatically enable ASLR, a technology that randomly allocates executable memory to make it difficult for hackers to run their code.

Until a patch is ready, Microsoft urged users to use the Enhanced Mitigation Experience Toolkit (EMET) utility to bolster IE's defenses. The company provided instructions on how to configure EMET to block attacks in the accompanying security advisory: http://www.microsoft.com/technet/security/advisory/2488013.mspx

EMET is a tool designed for advanced users, primarily enterprise IT pros, and manually enables ASLR and DEP for specific applications. It's often used to reinforce older programs.

Microsoft has recommended EMET before as a stop-gap defense. In September, it told users to configure it to block attacks then targeting users of Adobe Reader. But this is just the second time that Microsoft has suggested users roll out EMET to protect an up-to-date Microsoft program.

EMET 2.0 is a free download available from Microsoft's site: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04

Users running IE7 or IE8 on Windows Vista and Windows 7 are less likely to be affected by a successful attack, Microsoft claimed, because those browsers include a feature called "Protected Mode" that prompts users before letting them install, run or modify certain operating system components.

Other browsers, including Firefox, Chrome, Safari and Opera, are not affected by the flaw.

The next regularly scheduled Patch Tuesday is Jan. 11, but because Microsoft usually updates the browser every other month, and just did so last week, it's possible the vulnerability won't be addressed until February.

Microsoft's usual practice is to release an emergency fix only if attacks appear and then grow in strength. Microsoft has never revealed how it sets the point at which a rush patch is triggered.

The last time the company issued an out-of-band update was late September when it patched a bug in the ASP.Net Web application framework.

(PCW)

Samker's Computer Forum - SCforum.info





 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising