Newsletters
The Enterprise Security Supersite NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
This ad will display for the next 20 seconds. Please click for more information, or scroll down to pass the ad, or Close Ad.
Home Network Security Viruses & Malware Hackers Security Solutions More Topics...
Vblock™ Systems:
Advanced converged infrastructure
increases productivity & lowers costs.

www.vce.com
Security Solutions
Tame your scariest paperwork. Find Out How
Average Rating:
Rate this article:  
Microsoft Zips Out-of-Cycle Patch for IE Vulnerability
Microsoft Zips Out-of-Cycle Patch for IE Vulnerability

By Jennifer LeClaire
December 17, 2008 10:39AM

Bookmark and Share
Microsoft has rushed out a patch to Internet Explorer to counter a critical vulnerability that has led to at least two million computer infections. The out-of-cycle IE patch from Microsoft comes as McAfee reported a spike in Web sites hosting exploit code. McAfee warned users to beware of Microsoft Word files sent to unsuspecting users.
 


Microsoft has issued an emergency patch to fix a critical Internet Explorer vulnerability that puts users at risk. At least two million computers have been infected in the past week, most of them in Asia.

The out-of-cycle patch is available through Microsoft's normal update options, including Windows Server Update Services, Microsoft Update, and Windows Update.

The fact that Microsoft broke its normal patch cycle is an indication of the importance of this patch, according to Wolfgang Kandek, CTO of Qualys.

"This is a critical flaw in the most widely used browser on the planet. Internet Explorer users have been exposed for at least a week to high risk while browsing the Internet," Kandek said. "This risk includes having their computer falling under the control of outside attackers, which can then search the computer for personal information such as SSN, install key loggers that record log-in passwords to banking sites, and also use the computer for their own money-making activities."

A Lightning-Fast Fix

The browser flaw was disclosed about a week ago, as a zero-day vulnerability and active exploits have been around the Internet for about that long. The exploit doesn't require users to click on links or download software from the Internet. Rather, it infects users when they open a Web page. Microsoft offered several workarounds while it was working on a fix.

"The workarounds provided by Microsoft were very technical and quite cumbersome to implement, making it imperative for Microsoft to release a fix as quickly as possible," Kandek said. One of the workarounds, however, wasn't cumbersome -- but it was a competitive downside. Microsoft, as well as many security analysts, recommended browsers stop using Internet Explorer until a fix was available.

"Given the typical requirements for developing, testing and packaging the changes to a program as widely deployed as Internet Explorer, we have seen one of the fastest turnarounds possible," Kandek said. "Moving faster would require having specific mechanisms in the base code of the application, allowing to push out changes in a less disruptive way and would require an extensive rewrite of Internet Explorer. Other browser providers have an edge here as they already have update mechanisms included in their products."

Beware of .Doc Files

A fix was indeed critical, given McAfee's discovery of a spike in the number of active Web sites hosting this exploit. McAfee reports customized versions of the IE 7 exploit with varying degrees of obfuscation.

"Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not-so-tech-savvy Internet users," McAfee's Rahul Monahdas wrote on the McAfee Avert Labs blog. "One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft Word document being sent out to an unsuspecting user."

According to Monahdas, the charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal .doc file.

"We want to reiterate to all our readers to be vigilant and cautious while opening unknown .doc files or visiting dubious Web sites, while we continue to monitor the threat and protect our customers against the menace," Monahdas said.
 

Tell Us What You Think
Comment:

Name:



APC has an established a reputation for solid products that virtually pay for themselves upon installation. Who has time to spend worrying about system downtime? APC makes it easy for you to focus on business growth instead of business downtime with reliable data center systems and IT solutions. Learn more here.


 Security Solutions
1.   Data Center Plug-In Monitors Security
2.   Security Firms Watch for Feisty Fans
3.   BlackBerry Wins Security Certification
4.   Best of Interop 2014 Finalists Named
5.   Oracle Tackles Mobile Security


advertisement
Security Firms Watch for Feisty Fans
Social media monitoring gives heads-up.
Average Rating:
BlackBerry Wins Security Certification
Enterprise Service 10 gets FIPS nod.
Average Rating:
Data Center Plug-In Monitors Security
ManageEngine offering is in beta.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
What Verizon's Data Breach Report Can Teach Enterprises
It’s probably not a jaw-dropper, but cyberespionage is officially on the rise. And the use of stolen or misused credentials is still the leading way the bad guys gain access to corporate information.
 
Top Cyberthreats Exposed by Verizon Report
Beyond Heartbleed, there are cyberthreats vying to take down enterprise networks, corrupt smartphones, and wreak havoc on businesses. Verizon is exposing these threats in a new report.
 
Where Do Web Sites Stand, Post-Heartbleed?
A security firm says the vast majority of Web sites have patched themselves to protect against the Heartbleed bug, but now there are questions raised on the reliability of open-source programs.
 

Navigation
Enterprise Security Today
Home/Top News | Network Security | Viruses & Malware | Hackers | Security Solutions | Mobile Security | Disaster Recovery | Windows Security
Data Security | EST Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters | XML/RSS Feed

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.