Hole in Internet Explorer: Good news and bad news

[nsane.forums]

Microsoft plans to release an emergency patch to close the hole in Internet Explorer before the end of this week. The first successful exploits, even with the Data Execution Prevention feature enabled, have now appeared

View: Original Article

[DKT27]

Microsoft to issue IE patch for Google attack flaw

Microsoft will take the unusual step of issuing an out-of-cycle patch for the Internet Explorer flaw thought to have been central to the cyberattacks against Google and other companies.

The company announced Tuesday that "given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves, and the escalating threat environment, Microsoft will release a security update out-of-band for this vulnerability." Microsoft didn't say exactly when it would release the patch, but promised more details Wednesday.

Microsoft normally releases patches for its software on Patch Tuesday, as it has come to be known, so that corporations that use Microsoft products will know what's coming and can plan accordingly. But every now and then it will break with that pattern upon the discovery of an important flaw or vulnerability that requires a fast fix, since Patch Tuesday only comes once a month. The next Patch Tuesday is scheduled for February 9.

The vulnerability at issue in the cyberattacks that have prompted a showdown between Google and China affects versions 6, 7, and 8 of Internet Explorer, although Microsoft said that attacks have only been successful on systems running IE 6. The company advised IE users to upgrade to Internet Explorer 8 to protect themselves against attacks.

The news comes after researchers from Vupen Security reported that technology designed to mitigate attacks in newer versions of IE can be bypassed.

Asked to comment on that, a Microsoft spokeswoman said: "Microsoft is investigating claims of the ability to bypass the Data Execution Prevention (DEP) feature in Internet Explorer. Once we're done investigating, we will take appropriate action to help protect customers."

Source - CNET

[Bizarre™]

M$ sure is shaken by this exploit :rolleyes:

[*dcs18]

Oh, these never-ending holes . . . . . .

[DKT27]

Use Firefox. :lol:

[DKT27]

Microsoft to release patch for IE hole on Thursday

China-based attack on Google and for which an exploit has been released on the Internet since last week.

Microsoft said on Wednesday that it will release on Thursday a patch to fix the latest hole in Internet Explorer that was used in the

The company plans to release the patch as close to 10 a.m. PST on Thursday as possible and host a public Webcast at 1 p.m. PST, according to the security advisory.

Microsoft continues to see limited attacks and has only seen evidence of successful attacks against Internet Explorer 6, according to Jerry Bryant, senior security program manager at Microsoft.

"This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical," he said in a statement.

"It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized," Bryant said. "We recommend that customers install the update as soon as it is available. For customers using automatic updates, this update will automatically be applied once it is released."

Vulnerable software is IE 6 on Microsoft Windows 2000 and IE 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, Microsoft said.

Microsoft also updated its security advisory on the vulnerability to include technical details to address additional products that may be affected by this vulnerability and to provide guidance related to reports of proof of concept code that bypasses the Data Encryption Protection that can mitigate against attacks.

For an attack to be accomplished, an attacker would have to lure an IE user to a Web site hosting malware that was written to exploit the hole in the browser. This could be done by using social engineering and including a link to the malicious site in an e-mail that looks like it is coming from someone familiar or contains important information. Once a computer is infected, an attacker could take complete control of it.

Microsoft had announced on Tuesday that it would release the out-of-band patch before the next Patch Tuesday in February.

Meanwhile, McAfee announced on Wednesday the availability of a free tool that anyone can use to detect and remove any malware related to "Operation Aurora," the name they have given to the attacks on Google and other companies based on what they believe attackers dubbed it. The "Aurora Stinger" tool from McAfee also includes a link to the cloud-based McAfee Global Threat Intelligence, McAfee Chief Technology Officer George Kurtz said in a blog post. "This means it will also pick up on newly discovered variants in real time without requiring an update to the signature files that come with the tool," he said.

Updated 11:55 a.m. PST with McAfee tool and background on exploit code being in the wild, and information on how an attack could be accomplished.

Source - CNET

[Bizarre™]

M$ really is shaken by this exploit :tooth: