Feeds

MS to issue emergency patch for potent IE vuln

Researchers show exploits for IE 7 and 8

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Microsoft will release an emergency update that patches the Internet Explorer vulnerability used to breach the security defenses of Google and other large companies.

The software maker has said that real-world attacks against the browser continue to be "very limited" and that they're effective only against version 6, which was first released in 2001. Still, researchers have determined that it's possible to exploit more recent versions using well-known techniques, causing the level of concern generated by the vulnerability to spiral since last week, when Google revealed that it 20 other companies were hit by highly sophisticated attacks that pilfered intellectual property and user data.

Independent researchers have since raised the number of victims to 34 and said source code was specifically appropriated.

"Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability," George Stathakopoulos, the general manager of the company's Trustworthy Computing Security group, wrote Tuesday morning. "We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time."

Typically, Microsoft releases patches on the second Tuesday of each month so that IT workers who administer tens of thousands of PCs have an opportunity to test how the changes will affect their systems. The company releases security patches outside that schedule only in rare cases. Microsoft won't say when the out-of-band update will be released until Wednesday, at the earliest.

The previously unknown IE vulnerability was used to compromise PCs used by Google and at least some of the other companies that were hit by the attacks. While that exploit code was effective only on IE 6, researcher Dina Dai Zovi said he has developed proof-of-concept code that at least partially compromises machines running IE 7. Security firm Vupen Security went even further saying in a very brief advisory that it was possible to remotely execute code on machines running IE 8.

Microsoft said it is working to confirm those claims, but the findings are a good indication that with enough time, successful in-the-wild attacks on more recent platforms are likely unless an emergency patch is issued.

While the underlying null pointer reference flaw is present in all recent versions of IE, a safety feature known as DEP, or data execution prevention, makes it much harder to exploit the bug to remotely hijack machines when running more recent browsers and operating systems. The successful attacks against IE 7 and IE 8 incorporate well-known techniques to bypass DEP. So far, Dai Zovi has been able only to read sensitive files when exploiting IE 7 on Windows Vista, but he still can't modify system settings. He says he's close to being able to carry out more powerful attacks, including on IE 8, pointing out obvious limitations to the protection.

Still, he mostly agrees with Microsoft guidance that systems that use a variety of protections - including DEP, ASLR, or address space layout randomization, and protected mode - will be significantly protected from exploits targeting the vulnerability.

Computer users "should eat their vegetables and exercise regularly like people have been telling them for 20 years," Dai Zovi told The Register. "DEP is not an excuse not to eat your vegetables. These mitigations are speed bumps. They're not perfect, so it requires paying conscious attention." ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.