Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/16/2008
03:03 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Issuing Emergency Patch For Internet Explorer

Without the fix, hackers have the potential to access a computer's memory space, causing IE to exit unexpectedly, in a state that can be exploited.

Microsoft is planning to release an out-of-band patch for Internet Explorer on Wednesday to address a critical security vulnerability that's being actively exploited.

The company on Saturday warned that 1 in 500 Internet Explorer users worldwide may have been exposed to malware hosted at both legitimate Web sites and porn sites that exploit an unpatched vulnerability.

Microsoft confirmed finding exploit code on a search engine in Taiwan and on a Web site in Hong Kong that serves adult entertainment content.

"Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability," Microsoft Security Response Center researchers Ziv Mador and Tareq Saade said in a blog post. "That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: We saw an increase of over 50% in the number of reports today compared to yesterday."

Microsoft's estimate works out to as many as 1.4 million potential victims, assuming there are a billion active Internet users (estimates range from 800 million to 1.5 billion), about 70% of whom are using Internet Explorer. The number of potential victims would drop to 940,000 if only Internet Explorer 7 users (47% browser market share) were affected. And those numbers represent only potential victims: Not all those exposed would be necessarily become infected.

The security hole in Internet Explorer has snowballed since last week when Microsoft in a Security Advisory said, "At this time, we are aware only of limited attacks that attempt to use this vulnerability."

"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer," explained Christopher Budd, Microsoft security response communications lead, in an e-mailed statement. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."

Since last Tuesday, Microsoft has updated its advisory four times. It expanded the list of potentially affected versions of Internet Explorer to include not only IE 7, but also IE 5.01 SP4, IE 6, IE 6 SP1, and IE 8 Beta 2. It also added several workaround options that involve disabling certain features.

Microsoft however says it is aware only of attacks affecting Internet Explorer 7 under the following systems: Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.

Despite Microsoft's suggested workarounds, U.S. CERT said, it is "currently unaware of a practical solution to this problem." Wednesday's patch should provide a solution.

In a blog post on Tuesday titled "Stop Viewing Porn In Internet Explorer ... For Now," Graham Cluley, senior technology consultant at Sophos, said that his company is seeing about 20,000 new infected Web pages appearing every day and that most of those sites are legitimate sites compromised by SQL injection attacks.

Stephan Chenette, manager of security research at Websense Security Labs, said in a phone interview that he's seeing a lot more legitimate sites being infected than porn sites. "I would characterize the severity as quite critical," he said. "It has quickly become the exploit of choice among attackers."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.