Feeds

MS to issue emergency patch for potent IE vuln

Researchers show exploits for IE 7 and 8

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

Microsoft will release an emergency update that patches the Internet Explorer vulnerability used to breach the security defenses of Google and other large companies.

The software maker has said that real-world attacks against the browser continue to be "very limited" and that they're effective only against version 6, which was first released in 2001. Still, researchers have determined that it's possible to exploit more recent versions using well-known techniques, causing the level of concern generated by the vulnerability to spiral since last week, when Google revealed that it 20 other companies were hit by highly sophisticated attacks that pilfered intellectual property and user data.

Independent researchers have since raised the number of victims to 34 and said source code was specifically appropriated.

"Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability," George Stathakopoulos, the general manager of the company's Trustworthy Computing Security group, wrote Tuesday morning. "We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time."

Typically, Microsoft releases patches on the second Tuesday of each month so that IT workers who administer tens of thousands of PCs have an opportunity to test how the changes will affect their systems. The company releases security patches outside that schedule only in rare cases. Microsoft won't say when the out-of-band update will be released until Wednesday, at the earliest.

The previously unknown IE vulnerability was used to compromise PCs used by Google and at least some of the other companies that were hit by the attacks. While that exploit code was effective only on IE 6, researcher Dina Dai Zovi said he has developed proof-of-concept code that at least partially compromises machines running IE 7. Security firm Vupen Security went even further saying in a very brief advisory that it was possible to remotely execute code on machines running IE 8.

Microsoft said it is working to confirm those claims, but the findings are a good indication that with enough time, successful in-the-wild attacks on more recent platforms are likely unless an emergency patch is issued.

While the underlying null pointer reference flaw is present in all recent versions of IE, a safety feature known as DEP, or data execution prevention, makes it much harder to exploit the bug to remotely hijack machines when running more recent browsers and operating systems. The successful attacks against IE 7 and IE 8 incorporate well-known techniques to bypass DEP. So far, Dai Zovi has been able only to read sensitive files when exploiting IE 7 on Windows Vista, but he still can't modify system settings. He says he's close to being able to carry out more powerful attacks, including on IE 8, pointing out obvious limitations to the protection.

Still, he mostly agrees with Microsoft guidance that systems that use a variety of protections - including DEP, ASLR, or address space layout randomization, and protected mode - will be significantly protected from exploits targeting the vulnerability.

Computer users "should eat their vegetables and exercise regularly like people have been telling them for 20 years," Dai Zovi told The Register. "DEP is not an excuse not to eat your vegetables. These mitigations are speed bumps. They're not perfect, so it requires paying conscious attention." ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.