S. C.
The mitten state
- Joined
- Nov 17, 2002
- Messages
- 26,705
http://apnews.myway.com//article/20081215/D953C39O5.html
SAN FRANCISCO (AP) - Users of all current versions of Microsoft Corp. (MSFT) (MSFT)'s Internet Explorer browser might be vulnerable to having their computers hijacked because of a serious security hole in the software that had yet to be fixed Monday.
The flaw lets criminals commandeer victims' machines merely by tricking them into visiting Web sites tainted with malicious programming code. As many as 10,000 sites have been compromised since last week to exploit the browser flaw, according to antivirus software maker Trend Micro Inc.
The sites are mostly Chinese and have been serving up programs that steal passwords for computer games, which can be sold for money on the black market. However, the hole is such that it could be "adopted by more financially motivated criminals for more serious mayhem - that's a big fear right now," Paul Ferguson, a Trend Micro security researcher, said Monday.
"Zero-day" vulnerabilities like this are security holes that haven't been repaired by the software makers. They're a gold mine for criminals because users have few ways to fight off attacks.
The latest vulnerability is noteworthy because Internet Explorer is the default browser for most of the world's computers. Also, while Microsoft says it has detected attacks only against version 7 of Internet Explorer, which is the most widely used edition, the company warned that other versions are also potentially vulnerable.
Microsoft said it is investigating the flaw and is considering fixing it through an emergency software patch outside of its normal monthly updates, but declined further comment. The company is telling users to employ a series of complicated workarounds to minimize the threat.
Many security experts, meanwhile, are urging Internet Explorer users to use another browser until a patch is released.
---
On the Net:
Microsoft's advisory:
http://www.microsoft.com/technet/security/advisory/961051.mspx
Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: December 10, 2008 | Updated: December 15, 2008
Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable.
This update to the advisory contains information about a new workaround and a recommendation on the most effective workarounds.
The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.
At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory. Additionally, there are mitigations that increase the difficulty of exploiting this vulnerability.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability. Current trending indicates that there may be attempts to utilize SQL Injection attacks against Web sites to load attack code on those Web sites. If you’re a Web site operation, please review Microsoft Security Advisory (954462), which provides information on tools you can use to analyze your Web site’s code to help protect against SQL Injection attacks.
We are actively investigating the vulnerability that these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.
Mitigating Factors:
• Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• Currently known attacks cannot exploit this issue automatically through e-mail.
SAN FRANCISCO (AP) - Users of all current versions of Microsoft Corp. (MSFT) (MSFT)'s Internet Explorer browser might be vulnerable to having their computers hijacked because of a serious security hole in the software that had yet to be fixed Monday.
The flaw lets criminals commandeer victims' machines merely by tricking them into visiting Web sites tainted with malicious programming code. As many as 10,000 sites have been compromised since last week to exploit the browser flaw, according to antivirus software maker Trend Micro Inc.
The sites are mostly Chinese and have been serving up programs that steal passwords for computer games, which can be sold for money on the black market. However, the hole is such that it could be "adopted by more financially motivated criminals for more serious mayhem - that's a big fear right now," Paul Ferguson, a Trend Micro security researcher, said Monday.
"Zero-day" vulnerabilities like this are security holes that haven't been repaired by the software makers. They're a gold mine for criminals because users have few ways to fight off attacks.
The latest vulnerability is noteworthy because Internet Explorer is the default browser for most of the world's computers. Also, while Microsoft says it has detected attacks only against version 7 of Internet Explorer, which is the most widely used edition, the company warned that other versions are also potentially vulnerable.
Microsoft said it is investigating the flaw and is considering fixing it through an emergency software patch outside of its normal monthly updates, but declined further comment. The company is telling users to employ a series of complicated workarounds to minimize the threat.
Many security experts, meanwhile, are urging Internet Explorer users to use another browser until a patch is released.
---
On the Net:
Microsoft's advisory:
http://www.microsoft.com/technet/security/advisory/961051.mspx
Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: December 10, 2008 | Updated: December 15, 2008
Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable.
This update to the advisory contains information about a new workaround and a recommendation on the most effective workarounds.
The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.
At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory. Additionally, there are mitigations that increase the difficulty of exploiting this vulnerability.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability. Current trending indicates that there may be attempts to utilize SQL Injection attacks against Web sites to load attack code on those Web sites. If you’re a Web site operation, please review Microsoft Security Advisory (954462), which provides information on tools you can use to analyze your Web site’s code to help protect against SQL Injection attacks.
We are actively investigating the vulnerability that these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.
Mitigating Factors:
• Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• Currently known attacks cannot exploit this issue automatically through e-mail.
