Feeds

MS to issue emergency patch for potent IE vuln

Researchers show exploits for IE 7 and 8

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Microsoft will release an emergency update that patches the Internet Explorer vulnerability used to breach the security defenses of Google and other large companies.

The software maker has said that real-world attacks against the browser continue to be "very limited" and that they're effective only against version 6, which was first released in 2001. Still, researchers have determined that it's possible to exploit more recent versions using well-known techniques, causing the level of concern generated by the vulnerability to spiral since last week, when Google revealed that it 20 other companies were hit by highly sophisticated attacks that pilfered intellectual property and user data.

Independent researchers have since raised the number of victims to 34 and said source code was specifically appropriated.

"Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability," George Stathakopoulos, the general manager of the company's Trustworthy Computing Security group, wrote Tuesday morning. "We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time."

Typically, Microsoft releases patches on the second Tuesday of each month so that IT workers who administer tens of thousands of PCs have an opportunity to test how the changes will affect their systems. The company releases security patches outside that schedule only in rare cases. Microsoft won't say when the out-of-band update will be released until Wednesday, at the earliest.

The previously unknown IE vulnerability was used to compromise PCs used by Google and at least some of the other companies that were hit by the attacks. While that exploit code was effective only on IE 6, researcher Dina Dai Zovi said he has developed proof-of-concept code that at least partially compromises machines running IE 7. Security firm Vupen Security went even further saying in a very brief advisory that it was possible to remotely execute code on machines running IE 8.

Microsoft said it is working to confirm those claims, but the findings are a good indication that with enough time, successful in-the-wild attacks on more recent platforms are likely unless an emergency patch is issued.

While the underlying null pointer reference flaw is present in all recent versions of IE, a safety feature known as DEP, or data execution prevention, makes it much harder to exploit the bug to remotely hijack machines when running more recent browsers and operating systems. The successful attacks against IE 7 and IE 8 incorporate well-known techniques to bypass DEP. So far, Dai Zovi has been able only to read sensitive files when exploiting IE 7 on Windows Vista, but he still can't modify system settings. He says he's close to being able to carry out more powerful attacks, including on IE 8, pointing out obvious limitations to the protection.

Still, he mostly agrees with Microsoft guidance that systems that use a variety of protections - including DEP, ASLR, or address space layout randomization, and protected mode - will be significantly protected from exploits targeting the vulnerability.

Computer users "should eat their vegetables and exercise regularly like people have been telling them for 20 years," Dai Zovi told The Register. "DEP is not an excuse not to eat your vegetables. These mitigations are speed bumps. They're not perfect, so it requires paying conscious attention." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.