Risk
1/7/2013
09:24 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Patches Won't Fix IE Zero-Day Vulnerability

Microsoft's first Patch Tuesday of 2013 will address 12 flaws, including a critical vulnerability affecting virtually all Windows machines.

CES 2013: 9 Cool Gadgets
CES 2013: 9 Cool Gadgets
(click image for larger view and for slideshow)
For many tech professionals, Tuesday will be all about the Consumer Electronics Show (CES) spectacle. For IT admins, though, the day is likely to be spent deploying Microsoft's first security patches of 2013. The collection of seven patches will address 12 problems, two of which have been classified as critical vulnerabilities. It won't, however, offer a permanent solution for an Internet Explorer (IE) vulnerability discovered in late December.

Both of the critical vulnerabilities Microsoft will patch allow attackers to remotely execute code on unpatched machines. One affects only Windows 7 and Windows Server 2008 R2 -- but the confined risk doesn't mitigate the potential damage, given that Windows 7 is the world's most widely deployed OS. The other involves virtually all Windows variations currently used in the enterprise: Windows XP through Windows 8, as well as Windows Server 2003, 2008, 2008 R2 and 2012. Instituting the patches could cause admins a few minor headaches; all but one of the seven patches, including the two most urgent ones, require that machines be restarted.

The presently unpatched zero-day vulnerability in IE, meanwhile, was first described by cybersecurity firm FireEye, which published a blog post on December 28, one day after receiving reports that the website for the Council on Foreign Relations had been compromised. FireEye said the site had been injected with malicious code due to an error in IE 8. The firm declined to provide in-depth technical details until Microsoft issues a solution, but it noted that the JavaScript involved includes a few peculiarities, such as exploiting only browsers whose OS language is English, Chinese, Japanese, Korean or Russian.

Microsoft acknowledged the problem a day later and revealed that IE 6, 7 and 8 are affected. The company explained that an attacker "could take complete control of an affected system" and has offered a workaround until a complete patch is released.

[ Microsoft had a tough year in 2012, with disappointing sales for long-awaited products including Windows 8 and the Surface tablet. Learn 6 Things Microsoft Must Do In 2013. ]

Given how recently the exploit was discovered, it would have been surprising if Microsoft had bundled a patch into the forthcoming updates. The fact the IE 9 and 10 are not vulnerable takes a bit of the urgency off, but security firm Exodus Intelligence claims that the current workaround is easily subverted. The company provided technical details of the bypass to its customers, but will not make the information public until Microsoft has issued a patch.

In an earlier analysis, Exodus Intelligence co-founder Peter Vreugdenhil wrote that the vulnerability is "just another Internet Explorer use-after-free bug which was actually relatively easy to analyze and exploit." A Sophos Security blog post, meanwhile, took a more somewhat more aggressive tone in describing the risk, tracing the exploit to a handful of additional attacks and recommending that users avoid affected versions of IE.

In an email, IDC analyst Al Hilwa wrote that, "Releasing information about a vulnerability before it is patched is always a balancing act." If Microsoft learned that the exploit had become known within the hacker community, he asserted, the knowledge would compelled the the company's leaders to "exposite it and give recommendations even prior to figuring out a solution."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johnitguru
50%
50%
johnitguru,
User Rank: Apprentice
1/7/2013 | 6:22:35 PM
re: Microsoft Patches Won't Fix IE Zero-Day Vulnerability
I got tired of Microsoft viruses, scams and malware so I installed a really cool 3D Linux operating system for only $39.95 that is 100% compatible with all my Windows data and is 10 times faster called Robolinux.

It took me only 5 minutes to install it.

Now I can surf the web until I am blue in the face and I can't get a virus.

Check it out go to robolinux.org

http://robolinux.org
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6278
Published: 2014-09-30
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

CVE-2014-6805
Published: 2014-09-30
The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6806
Published: 2014-09-30
The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6807
Published: 2014-09-30
The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6808
Published: 2014-09-30
The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.