Feeds

Redmond slow to fix IE 8 zero day, says 'harden up' while U wait

Phishers get fresh code execution bait

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Microsoft has decided not to rush out a fix for an IE 8 zero-day first identified seven months ago, instead telling users to harden up their browsers.

The vulnerability allowed attackers to execute arbitrary code on computers running the older Internet Explorer version 8 through drive-by and phishing attacks.

Details were made public through HP's Zero Day Initiative vulnerability clearing house after Microsoft failed to patch its much-hacked platform.

Microsoft was notified two weeks ahead of today's disclosure and has been contacted by El Reg for comment.

The ZDI disclosure said the use-after-flaw existed in Internet Explorers' handling of CMarkup objects.

"This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file," the disclosure read.

"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user."

Users of Microsoft Outlook and Windows Mail were less likely to fall for a phish exploiting the zero day because the apps open emails in the script-blocking 'restricted sites zone'.

Instead of a patch, Redmond released work-arounds suggesting users harden IE 8 security by changing settings to block and alert use of ActiveX Controls and Active Scripting, and install its Enhanced Mitigation Experience Toolkit (EMET) which makes exploitation of Windows boxes more difficult and expensive.

The disclosure comes on the heels of attacks targeting Internet Explorer vulnerabilities discovered in April. ®

Next gen security for virtualised datacentres

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.