Microsoft has released Security Advisory 980088 to alert users of a vulnerability in Microsoft Internet Explorer. The advisory indicates that exploitation of this vulnerability may allow an attacker to harvest user credentials and other sensitive information by enticing users to visit a maliciously crafted web page.
US-CERT encourages users and administrators to review Microsoft Security Advisory 980088 and apply the suggested workarounds of running Internet Explorer in Protected Mode and setting the Internet zone security setting to High to mitigate the risk of unwanted information disclosure.
Tag Archives: IE
Microsoft Releases Security Advisory 980088
Filed under Security Advisories
Tagged as 980088, advisory, IE, Internet Explorer, Microsoft, protected mode, security, US-CERT
Tagged as 980088, advisory, IE, Internet Explorer, Microsoft, protected mode, security, US-CERT
France and Germany warn citizens to avoid using Internet Explorer
The governments of both France and Germany have issued official warnings to their citizenry, saying that, until Microsoft releases a patch for the widely-used Internet Explorer web browser, it is a threat to network security and should not be used.
Tech news website eWeek reports that the exploit that has caused such widespread concern in Europe is the same one that was used to attack a number of corporate systems in the U.S., including Google, which has since caused that company to announce that it would cease cooperation with the Chinese government. Concerns have been raised about the Chinese government's possible involvement in the attacks.
The French and German governments both advised their citizens to switch to alternative web browsers, while eWeek reports that Microsoft has said the vulnerability can be avoided with a switch to Internet Explorer 8, thought to be immune to the exploit.
The French information agency CERTA said in a statement that it strongly advised users to disable dynamic code and to browse the internet with limited user rights active on the machine.
Tech news website eWeek reports that the exploit that has caused such widespread concern in Europe is the same one that was used to attack a number of corporate systems in the U.S., including Google, which has since caused that company to announce that it would cease cooperation with the Chinese government. Concerns have been raised about the Chinese government's possible involvement in the attacks.
The French and German governments both advised their citizens to switch to alternative web browsers, while eWeek reports that Microsoft has said the vulnerability can be avoided with a switch to Internet Explorer 8, thought to be immune to the exploit.
The French information agency CERTA said in a statement that it strongly advised users to disable dynamic code and to browse the internet with limited user rights active on the machine.
Security flaw in IE used to target U.S. firms in cyber attack
Filed under Security News
Tagged as attack, Cyber, IE, off-cycle, patch, repair, update, vulnerability
Tagged as attack, Cyber, IE, off-cycle, patch, repair, update, vulnerability
Microsoft announced yesterday that the cyber criminals who launched a large-scale assault on network security at multiple American firms did so via a vulnerability in the company's Internet Explorer browser software.
A security alert released by the company said that IE 6 installations running on some less commonly used versions of Windows were vulnerable, as well as IE 6, 7, and 8 installations on Windows XP, Vista, Server 2003/2008, and Windows 7. Microsoft has said that it is working on a solution and could release an off-cycle update to repair the vulnerability.
CNET reports that source code was stolen from over 30 U.S. firms targeted in the attack, including Adobe, Yahoo, Symantec, and Dow Chemical, though only Adobe has issued an official confirmation that it was attacked.
Experts say that setting IE's security features to maximum prevents the attack from gaining access to valuable personal or company data. According to PC Magazine, this implies the exploit targets IE's unprivileged context, outside of which it is unlikely to cause many problems.
A security alert released by the company said that IE 6 installations running on some less commonly used versions of Windows were vulnerable, as well as IE 6, 7, and 8 installations on Windows XP, Vista, Server 2003/2008, and Windows 7. Microsoft has said that it is working on a solution and could release an off-cycle update to repair the vulnerability.
CNET reports that source code was stolen from over 30 U.S. firms targeted in the attack, including Adobe, Yahoo, Symantec, and Dow Chemical, though only Adobe has issued an official confirmation that it was attacked.
Experts say that setting IE's security features to maximum prevents the attack from gaining access to valuable personal or company data. According to PC Magazine, this implies the exploit targets IE's unprivileged context, outside of which it is unlikely to cause many problems.
New zero-day flaw discovered in older versions of Internet Explorer
Filed under Security News
Tagged as exploit, flaw, IE, javascript, malware, Symantec, vulnerability, zero-day
Tagged as exploit, flaw, IE, javascript, malware, Symantec, vulnerability, zero-day
Security researchers at Symantec report that new malware has targeted a memory corruption vulnerability in Internet Explorer 6 and 7, which carries the potential for system crashes or malicious redirects.
The company revealed the vulnerability in a blog post over the weekend, saying that, while the current iteration of the malware showed "signs of poor reliability," they expect well-written exploit code to hit the internet in "the near future." The Javascript-based exploit - which the researchers have dubbed Bloodhound.Exploit.129 - requires prospective victims to visit an infected website.
As usual, the best way to avoid being infected by this malware is to ensure that all of the latest security patches and updates have been applied. Symantec recommends disabling Javascript and only visiting trusted websites until Microsoft can release a bugfix for the vulnerability.
Though long since superseded by Internet Explorer 8, Internet Explorer 6 and 7 are still widely used by some enterprise consumers for reasons of compatibility and familiarity. Experts recommend upgrading to the latest version and keeping all software patched.
The company revealed the vulnerability in a blog post over the weekend, saying that, while the current iteration of the malware showed "signs of poor reliability," they expect well-written exploit code to hit the internet in "the near future." The Javascript-based exploit - which the researchers have dubbed Bloodhound.Exploit.129 - requires prospective victims to visit an infected website.
As usual, the best way to avoid being infected by this malware is to ensure that all of the latest security patches and updates have been applied. Symantec recommends disabling Javascript and only visiting trusted websites until Microsoft can release a bugfix for the vulnerability.
Though long since superseded by Internet Explorer 8, Internet Explorer 6 and 7 are still widely used by some enterprise consumers for reasons of compatibility and familiarity. Experts recommend upgrading to the latest version and keeping all software patched.
Microsoft issues Internet Explorer security update
Filed under Security News
Tagged as bug, IE, Internet Explorer, Microsoft, MS09-054, security, update
Tagged as bug, IE, Internet Explorer, Microsoft, MS09-054, security, update
Microsoft on Monday issued a security bulletin that updates a previous patch for Internet Explorer to resolve two issues. The IE bug only affects users who already applied the earlier patch.
Microsoft announced yesterday at the Microsoft Security Response Center that the security update MS09-054 released as part of the October Security Bulletin Release was causing errors in certain browsing scenarios.
The company said it is "not currently aware of any attempts to attack the vulnerabilities."
The MS09-054 bulletin is a fix rated critical for all Windows users. The bulletin addressed three flaws in all versions of IE and also an attack vector in the Firefox web browser for users with the Windows Presentation Foundation (WPF) plugin enabled.
Microsoft said users who have not applied the patch MS09-054 should first apply that fix before applying the fix from bulletin 976749.
The prior bulletin caused some confusion for Firefox maker Mozilla, which decided to block the Microsoft WPF add-on along with another .NET Framework Assistant add-on. Mozilla later unblocked the .NET Framework add-on within Firefox.
Microsoft announced yesterday at the Microsoft Security Response Center that the security update MS09-054 released as part of the October Security Bulletin Release was causing errors in certain browsing scenarios.
The company said it is "not currently aware of any attempts to attack the vulnerabilities."
The MS09-054 bulletin is a fix rated critical for all Windows users. The bulletin addressed three flaws in all versions of IE and also an attack vector in the Firefox web browser for users with the Windows Presentation Foundation (WPF) plugin enabled.
Microsoft said users who have not applied the patch MS09-054 should first apply that fix before applying the fix from bulletin 976749.
The prior bulletin caused some confusion for Firefox maker Mozilla, which decided to block the Microsoft WPF add-on along with another .NET Framework Assistant add-on. Mozilla later unblocked the .NET Framework add-on within Firefox.
Internet Explorer security flaw affects Firefox browser
Microsoft's release of its monthly security update on Tuesday contained fixes for three vulnerabilities affecting all versions of Internet Explorer, including one vulnerability that could be exploited on the .NET Framework to infect users of the Firefox browser.
The patch CVE-2009-2529 fixes a vulnerability in the Windows Presentation Foundation (WPF) component that could be exploited in a browse-and-get owned scenario by visiting a malicious website.
"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," Microsoft said on its IE Blog. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."
That means Firefox users with .NET Framework 3.5 who visit a malicious website could have their Windows PCs hijacked using this vulnerability.
Microsoft said a workaround to mitigate the problem involves disabling the XBAP (XAML Browser Application) in the internet zone under security settings.
Firefox users can disable the Windows Presentation Foundation under Tools, Add-ons and then Plug-ins.
The security update is rated critical for all IE versions including IE 5.0, IE 6, IE 6 SP1, IE 7 and IE 8, including the version shipped with Windows 7.
The patch CVE-2009-2529 fixes a vulnerability in the Windows Presentation Foundation (WPF) component that could be exploited in a browse-and-get owned scenario by visiting a malicious website.
"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," Microsoft said on its IE Blog. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."
That means Firefox users with .NET Framework 3.5 who visit a malicious website could have their Windows PCs hijacked using this vulnerability.
Microsoft said a workaround to mitigate the problem involves disabling the XBAP (XAML Browser Application) in the internet zone under security settings.
Firefox users can disable the Windows Presentation Foundation under Tools, Add-ons and then Plug-ins.
The security update is rated critical for all IE versions including IE 5.0, IE 6, IE 6 SP1, IE 7 and IE 8, including the version shipped with Windows 7.
Out-of-band patch coming for flaws in IE, Visual Studio
Microsoft alerted customers on Friday that it will be issuing web security patches on Tuesday for two critical vulnerabilities in Internet Explorer and Visual Studio, a suite of developer tools for creating web applications.
The fixes are "out of band," meaning Microsoft is issuing the patches outside of its normal monthly security update cycle.
On the company's security response center blog, Microsoft's Mike Reavey did not elaborate on the vulnerabilities, but said the Internet Explorer fix is designed to "address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical."
The Visual Studio fix relates to vulnerabilities affecting certain applications, Reavey said.
Customers who are up to date on security patches are protected from the vulnerabilities related to this patch, the company said.
Microsoft came under fire recently when it was revealed that the company had failed to disclose for more than a year a major security flaw in the Video ActiveX Control in IE, which IBM researchers warned the company about in spring 2008.
The fixes are "out of band," meaning Microsoft is issuing the patches outside of its normal monthly security update cycle.
On the company's security response center blog, Microsoft's Mike Reavey did not elaborate on the vulnerabilities, but said the Internet Explorer fix is designed to "address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical."
The Visual Studio fix relates to vulnerabilities affecting certain applications, Reavey said.
Customers who are up to date on security patches are protected from the vulnerabilities related to this patch, the company said.
Microsoft came under fire recently when it was revealed that the company had failed to disclose for more than a year a major security flaw in the Video ActiveX Control in IE, which IBM researchers warned the company about in spring 2008.
Microsoft warns of another ‘browse-and-get-owned’ IE vulnerability
Filed under Security News
Tagged as ActiveX, browse-and-get-owned, IE, Intrnet Explorer, Microsoft, Spreadsheet, vulnerability
Tagged as ActiveX, browse-and-get-owned, IE, Intrnet Explorer, Microsoft, Spreadsheet, vulnerability
Microsoft detailed another security hole Monday that has been exploited by hackers in a browse-and-get-owned scenario when users visit a malicious website with Internet Explorer. The vulnerable system is the Spreadsheet ActiveX control in Microsoft Office Web Components, which allows users to view spreadsheets in IE.
The company has "only seen limited attacks," exploiting the web security flaw, said Dave Forstrom, group manager for Microsoft's security response communications team, on the Microsoft Security Response Center blog. He warned that if exploited successfully, an attacker could gain the same user rights as the local user.
Affected products include the Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3 and several others, which are listed at the MSRC website.
Forstrom said a patch for the flaw will be released "once it reaches an appropriate level of quality for broad distribution."
Microsoft is already scheduled to patch several major security holes Tuesday in its monthly security update.
The company came under fire last week when it was revealed that the company failed to disclose for over a year a major flaw in the Video ActiveX Control, which IBM researchers warned the company about in spring 2008.
The company has "only seen limited attacks," exploiting the web security flaw, said Dave Forstrom, group manager for Microsoft's security response communications team, on the Microsoft Security Response Center blog. He warned that if exploited successfully, an attacker could gain the same user rights as the local user.
Affected products include the Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3 and several others, which are listed at the MSRC website.
Forstrom said a patch for the flaw will be released "once it reaches an appropriate level of quality for broad distribution."
Microsoft is already scheduled to patch several major security holes Tuesday in its monthly security update.
The company came under fire last week when it was revealed that the company failed to disclose for over a year a major flaw in the Video ActiveX Control, which IBM researchers warned the company about in spring 2008.
Microsoft warns vulnerability being exploited in IE
A zero-day vulnerability in Microsoft Video ActiveX Control has been exploited in the wild, Microsoft warned on Monday. An attacker who successfully exploits this web security flaw could take control of a user's PC using a maliciously crafted website.
Users of Windows XP and Windows Server 2003 are vulnerable to the exploit when visiting malicious websites using Internet Explorer, Microsoft said in a security bulletin.
Compromised websites and sites that accept or host user-provided content or advertisements could contain malicious code to exploit this vulnerability.
Microsoft said cybercriminals could attempt to exploit the web security flaw by luring users to click a link in an email message or Instant Messenger message that takes users to the attacker's site.
Windows XP and Windows Server 2003 users should deactivate ActiveX Control within Internet Explorer, using the workaround listed on Microsoft's support site.
Although Windows Vista and Windows Server 2008 are unaffected by this vulnerability, Microsoft is recommending that customers remove support for ActiveX Control within Internet Explorer.
Users can also opt to have Microsoft automatically "Fix It For Me" at Knowledge Base article 972890 on the support site.
Users of Windows XP and Windows Server 2003 are vulnerable to the exploit when visiting malicious websites using Internet Explorer, Microsoft said in a security bulletin.
Compromised websites and sites that accept or host user-provided content or advertisements could contain malicious code to exploit this vulnerability.
Microsoft said cybercriminals could attempt to exploit the web security flaw by luring users to click a link in an email message or Instant Messenger message that takes users to the attacker's site.
Windows XP and Windows Server 2003 users should deactivate ActiveX Control within Internet Explorer, using the workaround listed on Microsoft's support site.
Although Windows Vista and Windows Server 2008 are unaffected by this vulnerability, Microsoft is recommending that customers remove support for ActiveX Control within Internet Explorer.
Users can also opt to have Microsoft automatically "Fix It For Me" at Knowledge Base article 972890 on the support site.