Thursday, January 14, 2010

Microsoft warns of 0-day flaw in IE6, IE7, & IE8

Just one more reason to switch to Firefox as your Internet-browser-of-choice.  AOL users should be aware that the "AOL Browser" on Windows is just IE wearing an AOL "skin".

Microsoft Security Advisory (979352): Vulnerability in Internet Explorer Could Allow Remote Code Execution
Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

... At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6.


Other reports suggest that this attack was used against Google and Adobe to invade their systems so seriously that Google is considering pulling out of China as a result.
  • 0-day Vulnerability In Internet Explorer 6, 7 And 8 Exploited In Recent Chinese Attack | CyberInsecure.com
    Microsoft published an advisory today about a critical security vulnerability in all versions of Internet Explorer (apart from version 5). While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default.

    According to McAfee, hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used this vulnerability to carry out at least some of the attacks.
  • US-CERT Current Activity: Microsoft Releases Security Advisory 979352
    Microsoft Releases Security Advisory 979352
    added January 14, 2010 at 06:49 pm

    Microsoft has released Security Advisory 979352 to alert users of a vulnerability in Microsoft Internet Explorer. The advisory indicates that exploitation of this vulnerability may allow an attacker to execute arbitrary code. Microsoft also indicates that it is aware of public, active exploitation of this vulnerability.

    US-CERT encourages users and administrators to review Microsoft Security Advisory 979352 and apply the suggested workaround of setting the Internet zone security setting to High to help mitigate the risks.

    Additional information about this vulnerability can be found in Vulnerability Note VU#492515.
  • SANS: 0-day vulnerability in Internet Explorer 6, 7 and 8
    Microsoft just published an advisory about a critical security vulnerability in all versions of Internet Explorer (apart from 5 – but no one has that around anymore, right?).

    While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default. DEP makes exploitation of this vulnerability more difficult so as a temporary workaround you might want to enable it for older IEs (keep in mind that it might break some add-ons).

    Microsoft says that so far they only saw exploits against Internet Explorer 6. In a related post (here) McAfee said that this vulnerability was (one of those) used to compromise Google. So, it appears that it was maybe even a cocktail of 0-day exploits used (IE + Adobe).
  • McAfee Security Insights Blog » Blog Archive » Operation “Aurora” Hit Google, Others
  • Microsoft discloses zero-day IE flaw used in China attacks - SC Magazine US

No comments: