Newsletters
The Enterprise Security Supersite NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
Home Network Security Viruses & Malware Cybercrime Security Solutions More Topics...
Security Solutions
Next Generation Data Center Is Here!
Average Rating:
Rate this article:  
Microsoft Zips Out-of-Cycle Patch for IE Vulnerability
Microsoft Zips Out-of-Cycle Patch for IE Vulnerability

By Jennifer LeClaire
December 17, 2008 10:39AM

Bookmark and Share
Microsoft has rushed out a patch to Internet Explorer to counter a critical vulnerability that has led to at least two million computer infections. The out-of-cycle IE patch from Microsoft comes as McAfee reported a spike in Web sites hosting exploit code. McAfee warned users to beware of Microsoft Word files sent to unsuspecting users.
 


Microsoft has issued an emergency patch to fix a critical Internet Explorer vulnerability that puts users at risk. At least two million computers have been infected in the past week, most of them in Asia.

The out-of-cycle patch is available through Microsoft's normal update options, including Windows Server Update Services, Microsoft Update, and Windows Update.

The fact that Microsoft broke its normal patch cycle is an indication of the importance of this patch, according to Wolfgang Kandek, CTO of Qualys.

"This is a critical flaw in the most widely used browser on the planet. Internet Explorer users have been exposed for at least a week to high risk while browsing the Internet," Kandek said. "This risk includes having their computer falling under the control of outside attackers, which can then search the computer for personal information such as SSN, install key loggers that record log-in passwords to banking sites, and also use the computer for their own money-making activities."

A Lightning-Fast Fix

The browser flaw was disclosed about a week ago, as a zero-day vulnerability and active exploits have been around the Internet for about that long. The exploit doesn't require users to click on links or download software from the Internet. Rather, it infects users when they open a Web page. Microsoft offered several workarounds while it was working on a fix.

"The workarounds provided by Microsoft were very technical and quite cumbersome to implement, making it imperative for Microsoft to release a fix as quickly as possible," Kandek said. One of the workarounds, however, wasn't cumbersome -- but it was a competitive downside. Microsoft, as well as many security analysts, recommended browsers stop using Internet Explorer until a fix was available.

"Given the typical requirements for developing, testing and packaging the changes to a program as widely deployed as Internet Explorer, we have seen one of the fastest turnarounds possible," Kandek said. "Moving faster would require having specific mechanisms in the base code of the application, allowing to push out changes in a less disruptive way and would require an extensive rewrite of Internet Explorer. Other browser providers have an edge here as they already have update mechanisms included in their products."

Beware of .Doc Files

A fix was indeed critical, given McAfee's discovery of a spike in the number of active Web sites hosting this exploit. McAfee reports customized versions of the IE 7 exploit with varying degrees of obfuscation.

"Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not-so-tech-savvy Internet users," McAfee's Rahul Monahdas wrote on the McAfee Avert Labs blog. "One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft Word document being sent out to an unsuspecting user."

According to Monahdas, the charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal .doc file.

"We want to reiterate to all our readers to be vigilant and cautious while opening unknown .doc files or visiting dubious Web sites, while we continue to monitor the threat and protect our customers against the menace," Monahdas said.
 

Tell Us What You Think
Comment:

Name:



Salesforce.com is the market and technology leader in Software-as-a-Service. Its award-winning CRM solution helps 82,400 customers worldwide manage and share business information over the Internet. Experience CRM success. Click here for a FREE 30-day trial.


 Security Solutions
1.   Twitter Buys Password Manager Mitro
2.   BlackBerry Acquires Secusmart
3.   Gartner Rates IT Security Companies
4.   Apple Updates Mavericks, iOS 7
5.   Focus on Security in New Dell Products


advertisement
Twitter Buys Password Manager Mitro
Startup to release code as open source.
Average Rating:
BlackBerry Acquires Secusmart
German security firm offers street cred.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Ruling Against Microsoft Raises E-Mail Privacy Concern
Microsoft has been ordered to hand over e-mails to law enforcers in the United States as part of a criminal investigation, even though the e-mail is stored at a data center in Dublin,Ireland.
 
Twitter Buys Password Manager Startup Mitro
Following on the heels of another acquisition earlier this week, Twitter is adding to its fold a password-manager security startup called Mitro, which in turn is releasing its code as open source.
 
Government Requests for Customer Data Skyrocket
Requests for customer data from the government jumped 50 percent in the first half of 2014, according to Twitter, which received more than 2,000 requests for user info from gov't agencies.
 

Navigation
Enterprise Security Today
Home/Top News | Network Security | Viruses & Malware | Cybercrime | Security Solutions | Mobile Security | Disaster Recovery | Windows Security
Data Security | EST Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.