Newsletters
The Enterprise Security Supersite NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
Home Network Security Viruses & Malware Cybercrime Security Solutions More Topics...
Security Solutions
24/7/365 Network Uptime!
Average Rating:
Rate this article:  
Microsoft Zips Out-of-Cycle Patch for IE Vulnerability
Microsoft Zips Out-of-Cycle Patch for IE Vulnerability

By Jennifer LeClaire
December 17, 2008 10:39AM

Bookmark and Share
Microsoft has rushed out a patch to Internet Explorer to counter a critical vulnerability that has led to at least two million computer infections. The out-of-cycle IE patch from Microsoft comes as McAfee reported a spike in Web sites hosting exploit code. McAfee warned users to beware of Microsoft Word files sent to unsuspecting users.
 


Microsoft has issued an emergency patch to fix a critical Internet Explorer vulnerability that puts users at risk. At least two million computers have been infected in the past week, most of them in Asia.

The out-of-cycle patch is available through Microsoft's normal update options, including Windows Server Update Services, Microsoft Update, and Windows Update.

The fact that Microsoft broke its normal patch cycle is an indication of the importance of this patch, according to Wolfgang Kandek, CTO of Qualys.

"This is a critical flaw in the most widely used browser on the planet. Internet Explorer users have been exposed for at least a week to high risk while browsing the Internet," Kandek said. "This risk includes having their computer falling under the control of outside attackers, which can then search the computer for personal information such as SSN, install key loggers that record log-in passwords to banking sites, and also use the computer for their own money-making activities."

A Lightning-Fast Fix

The browser flaw was disclosed about a week ago, as a zero-day vulnerability and active exploits have been around the Internet for about that long. The exploit doesn't require users to click on links or download software from the Internet. Rather, it infects users when they open a Web page. Microsoft offered several workarounds while it was working on a fix.

"The workarounds provided by Microsoft were very technical and quite cumbersome to implement, making it imperative for Microsoft to release a fix as quickly as possible," Kandek said. One of the workarounds, however, wasn't cumbersome -- but it was a competitive downside. Microsoft, as well as many security analysts, recommended browsers stop using Internet Explorer until a fix was available.

"Given the typical requirements for developing, testing and packaging the changes to a program as widely deployed as Internet Explorer, we have seen one of the fastest turnarounds possible," Kandek said. "Moving faster would require having specific mechanisms in the base code of the application, allowing to push out changes in a less disruptive way and would require an extensive rewrite of Internet Explorer. Other browser providers have an edge here as they already have update mechanisms included in their products."

Beware of .Doc Files

A fix was indeed critical, given McAfee's discovery of a spike in the number of active Web sites hosting this exploit. McAfee reports customized versions of the IE 7 exploit with varying degrees of obfuscation.

"Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not-so-tech-savvy Internet users," McAfee's Rahul Monahdas wrote on the McAfee Avert Labs blog. "One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft Word document being sent out to an unsuspecting user."

According to Monahdas, the charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal .doc file.

"We want to reiterate to all our readers to be vigilant and cautious while opening unknown .doc files or visiting dubious Web sites, while we continue to monitor the threat and protect our customers against the menace," Monahdas said.
 

Tell Us What You Think
Comment:

Name:



Salesforce.com is the market and technology leader in Software-as-a-Service. Its award-winning CRM solution helps 82,400 customers worldwide manage and share business information over the Internet. Experience CRM success. Click here for a FREE 30-day trial.


 Security Solutions
1.   Gartner Rates IT Security Companies
2.   Apple Updates Mavericks, iOS 7
3.   Focus on Security in New Dell Products
4.   New Pass Codes You Can't Forget
5.   BlackBerry BBM Boosts Security


advertisement
Gartner Rates IT Security Companies
IBM, HP, McAfee, Splunk ranked well.
Average Rating:
New Pass Codes You Can't Forget
Scientists debut new Facelook security.
Average Rating:
Focus on Security in New Dell Products
New PC with highest FIPS certification.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Researchers Working To Fix Tor Security Exploit
Developers for the Tor privacy browser are scrambling to fix a bug revealed Monday that researchers say could allow hackers, or government surveillance agencies, to track users online.
 
Wall Street Journal Hacked Again
Hacked again. That’s the story at the Wall Street Journal this week as the newspaper reports that the computer systems housing some of its news graphics were breached. Customers not affected -- yet.
 
Dropbox for Business Beefs Up Security
Dropbox is upping its game for business users. The cloud-based storage and sharing company has rolled out new security, search and other features to boost its appeal for businesses.
 

Enterprise Hardware Spotlight
Microsoft Makes Design Central to Its Future
Over the last four years, Microsoft has doubled the number of designers it employs, putting a priority on fashioning devices that work around people's lives -- and that are attractive and cool.
 
Contrary to Report, Lenovo's Staying in Small Windows Tablets
Device maker Lenovo has clarified a report that indicated it is getting out of the small Windows tablet business -- as in the ThinkPad 8 and the 8-inch Miix 2. But the firm said it is not exiting that market.
 
Seagate Unveils Networked Drives for Small Businesses
Seagate is out with five new networked attached storage products aimed at small businesses. The drives are for companies with up to 50 workers, and range in capacity from two to 20 terabytes.
 

Navigation
Enterprise Security Today
Home/Top News | Network Security | Viruses & Malware | Cybercrime | Security Solutions | Mobile Security | Disaster Recovery | Windows Security
Data Security | EST Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.