Risk
9/21/2012
12:03 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Patches IE Bug

Microsoft plans to issue a patch Friday to deal with the latest in a barrage of zero-day exploits for Internet Explorer.

Following security researcher Eric Romang's September 16 discovery of an Internet Explorer (IE) zero-day exploit, Microsoft, which officially acknowledged the vulnerability the next day and later offered a workaround, is set to deploy a patch on Friday. The remedy will arrive via Windows Update and is set to unroll around 10 a.m. Pacific Time. The company is hosting a live, online Q&A at noon to address any concerns.

The security fix caps a busy few weeks for Microsoft's security teams. Earlier, the company generated moderate controversy when it initially said an exploit in Internet Explorer 10 would not be addressed until after the browser begins shipping with Windows 8 at the end of October. Microsoft later reversed the decision.

The new security risk affects IE versions 6,7, 8, and 9, and can allow attackers to seize control of a victim's computer. Citing StatCounter, security firm Rapid 7, which "strongly" suggested avoiding the Microsoft browser until a fix was offered, noted that around two-fifths of North American Internet users, and one-third of users worldwide, are susceptible to attack. Concern was so widespread in some corners that the German government discouraged the use of afflicted IE versions.

[ For more on the IE 9 zero-day exploit, see Microsoft Warns Of IE 9 Security Bug. ]

Despite the aggressive fears, nCircle's Andrew Storm said in an interview that "there's been a lot of discussion, but it hasn't panned out to be an Internet pandemic." He noted that the malware seems intended for targeted attacks and that instances in the wild have so far been fairly limited.

Evidence suggests the malware originated in China, information that, along with a recent Symantec report, suggests well-funded organizations within the country--and perhaps even the government itself--are issuing cyber-attacks.

Storm said such speculation probably has "some truth behind it" but countered that definitive proof might not emerge any time soon. "Right now, we have to guess quite a bit about what's going on," he asserted, noting that governments are unlikely to admit to such activities.

Storm also said it's difficult to determine what the malware authors intended, as once word got out, the creators had to shelf their plans.

He lauded Microsoft's quick solution, remarking that it's come much quicker than anyone expected. He noted, however, that the company recently committed to doubling the resources dedicated to IE testing. "Given that statement," he stated," it's not surprising they were able to rush [an update] out."

Ryan Eldridge is co-founder of Nerds on Call, which he said repairs zero-day exploits on around 1,500 computers every week. Like Rapid7, Eldridge's company discouraged users from using IE until the vulnerability had been addressed. In an interview, he explained that such caution is wise because "the exploit will live on the Internet pretty much forever," noting that users who run unpatched browsers "will be toast."

He echoed Storm's assertion that the attackers have so far pursued specific goals rather than widespread mischief. Still, he cautioned, "Once [the exploit] starts getting into the wild, other groups get hold of it and turn it to their own nefarious means." Indeed, with the vulnerability already integrated into Rapid7's Metasploit testing tool, the duplicitous code is available to those who want it.

Microsoft's next browser could mitigate security concerns. Following Chrome's lead, it will bundle Flash and its updates directly into IE 10, reducing the number of individual steps users must complete to protect their systems.

Regarding this decision, Storm said, "Microsoft had to do it," noting that Chrome's approach has included successes such as fixing Flash bugs "before Adobe's even released a patch."

Eldridge sees the Flash integration as a positive step. Microsoft has absorbed criticism for automating updates in the past, he noted, since some feel that "users should make that choice." Nonetheless, he stated that removing often-negligent users from aspects of the security maintenance process could benefit the Internet as whole.

InformationWeek is conducting a survey on mobile device management and security. Take our 2013 InformationWeek Mobile Device Management and Security Survey now. Survey ends Sept. 14.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2188
Published: 2015-02-26
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0594
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in the help pages in Cisco Common Services, as used in Cisco Prime LAN Management Solution (LMS) and Cisco Security Manager, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq54654 and CSCun1...

CVE-2015-0632
Published: 2015-02-26
Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.

CVE-2015-0651
Published: 2015-02-26
Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisco Application Networking Manager (ANM), and Device Manager (DM) on Cisco 4710 Application Control Engine (ACE) appliances, allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo99753.

CVE-2015-0882
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php an...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.