Feeds

MS to issue emergency patch for potent IE vuln

Researchers show exploits for IE 7 and 8

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Microsoft will release an emergency update that patches the Internet Explorer vulnerability used to breach the security defenses of Google and other large companies.

The software maker has said that real-world attacks against the browser continue to be "very limited" and that they're effective only against version 6, which was first released in 2001. Still, researchers have determined that it's possible to exploit more recent versions using well-known techniques, causing the level of concern generated by the vulnerability to spiral since last week, when Google revealed that it 20 other companies were hit by highly sophisticated attacks that pilfered intellectual property and user data.

Independent researchers have since raised the number of victims to 34 and said source code was specifically appropriated.

"Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability," George Stathakopoulos, the general manager of the company's Trustworthy Computing Security group, wrote Tuesday morning. "We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time."

Typically, Microsoft releases patches on the second Tuesday of each month so that IT workers who administer tens of thousands of PCs have an opportunity to test how the changes will affect their systems. The company releases security patches outside that schedule only in rare cases. Microsoft won't say when the out-of-band update will be released until Wednesday, at the earliest.

The previously unknown IE vulnerability was used to compromise PCs used by Google and at least some of the other companies that were hit by the attacks. While that exploit code was effective only on IE 6, researcher Dina Dai Zovi said he has developed proof-of-concept code that at least partially compromises machines running IE 7. Security firm Vupen Security went even further saying in a very brief advisory that it was possible to remotely execute code on machines running IE 8.

Microsoft said it is working to confirm those claims, but the findings are a good indication that with enough time, successful in-the-wild attacks on more recent platforms are likely unless an emergency patch is issued.

While the underlying null pointer reference flaw is present in all recent versions of IE, a safety feature known as DEP, or data execution prevention, makes it much harder to exploit the bug to remotely hijack machines when running more recent browsers and operating systems. The successful attacks against IE 7 and IE 8 incorporate well-known techniques to bypass DEP. So far, Dai Zovi has been able only to read sensitive files when exploiting IE 7 on Windows Vista, but he still can't modify system settings. He says he's close to being able to carry out more powerful attacks, including on IE 8, pointing out obvious limitations to the protection.

Still, he mostly agrees with Microsoft guidance that systems that use a variety of protections - including DEP, ASLR, or address space layout randomization, and protected mode - will be significantly protected from exploits targeting the vulnerability.

Computer users "should eat their vegetables and exercise regularly like people have been telling them for 20 years," Dai Zovi told The Register. "DEP is not an excuse not to eat your vegetables. These mitigations are speed bumps. They're not perfect, so it requires paying conscious attention." ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New twist as rogue antivirus enters death throes
That's not the website you're looking for
ISIS terror fanatics invade Diaspora after Twitter blockade
Nothing we can do to stop them, says decentralized network
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.