Feeds

MS to issue emergency patch for potent IE vuln

Researchers show exploits for IE 7 and 8

  • alert
  • submit to reddit

Website security in corporate America

Microsoft will release an emergency update that patches the Internet Explorer vulnerability used to breach the security defenses of Google and other large companies.

The software maker has said that real-world attacks against the browser continue to be "very limited" and that they're effective only against version 6, which was first released in 2001. Still, researchers have determined that it's possible to exploit more recent versions using well-known techniques, causing the level of concern generated by the vulnerability to spiral since last week, when Google revealed that it 20 other companies were hit by highly sophisticated attacks that pilfered intellectual property and user data.

Independent researchers have since raised the number of victims to 34 and said source code was specifically appropriated.

"Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability," George Stathakopoulos, the general manager of the company's Trustworthy Computing Security group, wrote Tuesday morning. "We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time."

Typically, Microsoft releases patches on the second Tuesday of each month so that IT workers who administer tens of thousands of PCs have an opportunity to test how the changes will affect their systems. The company releases security patches outside that schedule only in rare cases. Microsoft won't say when the out-of-band update will be released until Wednesday, at the earliest.

The previously unknown IE vulnerability was used to compromise PCs used by Google and at least some of the other companies that were hit by the attacks. While that exploit code was effective only on IE 6, researcher Dina Dai Zovi said he has developed proof-of-concept code that at least partially compromises machines running IE 7. Security firm Vupen Security went even further saying in a very brief advisory that it was possible to remotely execute code on machines running IE 8.

Microsoft said it is working to confirm those claims, but the findings are a good indication that with enough time, successful in-the-wild attacks on more recent platforms are likely unless an emergency patch is issued.

While the underlying null pointer reference flaw is present in all recent versions of IE, a safety feature known as DEP, or data execution prevention, makes it much harder to exploit the bug to remotely hijack machines when running more recent browsers and operating systems. The successful attacks against IE 7 and IE 8 incorporate well-known techniques to bypass DEP. So far, Dai Zovi has been able only to read sensitive files when exploiting IE 7 on Windows Vista, but he still can't modify system settings. He says he's close to being able to carry out more powerful attacks, including on IE 8, pointing out obvious limitations to the protection.

Still, he mostly agrees with Microsoft guidance that systems that use a variety of protections - including DEP, ASLR, or address space layout randomization, and protected mode - will be significantly protected from exploits targeting the vulnerability.

Computer users "should eat their vegetables and exercise regularly like people have been telling them for 20 years," Dai Zovi told The Register. "DEP is not an excuse not to eat your vegetables. These mitigations are speed bumps. They're not perfect, so it requires paying conscious attention." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.