Vulnerabilities / Threats
9/24/2012
10:32 AM
50%
50%

Microsoft IE Patch Fixes Flaw Under Active Attack

Microsoft wins praise for quickly addressing five remote-execution security vulnerabilities, one of which is being used now in attacks.

8 Key Differences Between Windows 8 And Windows RT
8 Key Differences Between Windows 8 And Windows RT
(click image for larger view and for slideshow)
As promised, Microsoft Friday released a security update to patch a zero-day vulnerability that's being actively exploited by attackers, as well as four previously undisclosed vulnerabilities of a similar nature.

According to Microsoft's critical security update, Internet Explorer 6, 7, 8, and 9, running on almost every type of Windows operating system, are vulnerable to a remote code execution attack. A related exploit, if successful, would allow an attacker to execute arbitrary code on a targeted machine. Notably, however, IE10 and some versions of Windows Server aren't vulnerable to the related attack.

Numerous security experts have recommended that all IE users immediately install Microsoft's patch. "We recommend installing the update as soon as possible, even if you are not running one of the configurations that are currently being exploited, i.e. Internet Explorer plus Flash or version Java v1.6," said Wolfgang Kandek, CTO of Qualys, in a blog post.

According to a technical analysis of the vulnerability published by Microsoft, attackers have so far only exploited the flaw via browser plug-ins. "All real attacks we have seen are targeting only 32-bit versions of Internet Explorer, and rely on third-party browser [plug-ins] to either perform efficient heap-spray in memory and/or to bypass the built-in mitigations of Windows Vista and 7 such as DEP and ASLR," according to the post. For example, some versions of the attack code that target Java 6--which lacks ASLR--aren't effective against Java 7.

[ What are the legal rules when it comes to cyber attacks? Read Cyber Warfare Still Poses Legal Questions. ]

But Kandek warned that as attackers gain familiarity with the vulnerability, they may develop more effective exploits. "Attackers are surely working on [ways] to exploit the vulnerability directly, without the help of plug-ins," he said.

The vulnerability being exploited via in-the-wild attacks was disclosed on September 16 by researcher Eric Romang, who said he'd found it just two days prior, while examining code on an Italian website that was used--apparently by the gang behind the Nitro malware--to launch a number of recent, targeted attacks. Romang warned that attackers may have been employing the zero-day vulnerability for some time, prior to his spotting it.

After Romang's disclosure, the IE vulnerability was quickly verified by researchers at AlienVault Labs, which also found related command-and-control servers for the malware being hosted in Astoria, Ill. It said that the vulnerability was apparently being used to infect targeted PCs with the Poison Ivy remote access toolkit.

Last week, meanwhile, the vulnerability was also added as a working exploit to the Metasploit open source penetration testing toolkit, which allows security researchers--or potentially, attackers--to test the vulnerability for themselves.

The speed of Microsoft's patch response--just one week elapsed from public disclosure of the vulnerability to Microsoft releasing a fix--has earned the company plaudits from information security experts. "In my opinion, computer users should be grateful for Microsoft's response. They managed to create, test, and roll out a patch for the Internet Explorer security [vulnerability] Romang discovered being exploited by malicious hackers within a week," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

Interestingly, however, Microsoft's security bulletin doesn't credit Romang with having reported the vulnerability in question. Rather, it thanks TippingPoint, which suggests that Microsoft may have first learned of the vulnerability from a different source, and prior to Romang's disclosure.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johnitguru
50%
50%
johnitguru,
User Rank: Apprentice
10/5/2012 | 12:47:51 PM
re: Microsoft IE Patch Fixes Flaw Under Active Attack
I got tired of Microsoft viruses, scams and malware so I installed a really cool 3D Linux operating system for only $39.95 that is 100% compatible with all my Windows data and is 10 times faster called Robolinux.
It took me only 5 minutes to install it.

Now I can surf until I am blue in the face and I can't get a virus.

Check it out

http://robolinux.org
johnitguru
50%
50%
johnitguru,
User Rank: Apprentice
10/5/2012 | 12:47:35 PM
re: Microsoft IE Patch Fixes Flaw Under Active Attack
I got tired of Microsoft viruses, scams and malware so I installed a really cool 3D Linux operating system for only $39.95 that is 100% compatible with all my Windows data and is 10 times faster called Robolinux.
It took me only 5 minutes to install it.

Now I can surf until I am blue in the face and I can't get a virus.

Check it out

http://robolinux.org
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.