Microsoft issues critical security update, blocks IE 6 attacks

Eight critical vulnerabilities in Internet Explorer were repaired in Microsoft's rushed security update. All supported versions of IE are affected.

Microsoft issued an emergency patch today blocking ongoing attacks against corporate networks that have been exploiting a vulnerability in Internet Explorer 6.

If I ran a cyberwarfare unit and I wanted to get into your company, Microsoft Internet Explorer would be a vector I'd explore.
Roger Thornton,
founder and chief technology officerFortify Software Inc.

The critical update, MS10-002, addresses eight vulnerabilities. It blocks publicly available exploit code targeting a zero-day vulnerability believed to be used in the recent attacks against Google, Adobe Systems Inc., and 30 other companies. The attackers targeted users of Internet Explorer 6 running on Windows XP. The update affects all supported versions of Internet Explorer.

"Microsoft continues to see limited and targeted attacks against Internet Explorer 6 only," said Jerry Bryant, senior security program manager at Microsoft. "Microsoft recommends customers deploy this security update as soon as possible to protect themselves against the known attacks."

Internet Explorer contains a variety of memory corruption vulnerabilities that could be exploited by an attacker who tricks users to visit a malicious Web page. The software giant said it also addressed a URL validation handling error, which could be exploited by an attacker using a malicious URL. A cross-site-scripting filter bypass vulnerability in Internet Explorer 8, which could allow disabled scripts to run resulting in information disclosure.

Microsoft updates:
Jan. - Microsoft releases Windows OpenType Font Engine patch: Lone security bulletin is critical for Windows 2000 users.

Dec. - Microsoft gives Internet Explorer a major security overhaul: The final regular Microsoft update of 2009 repairs five critical vulnerabilities in IE and blocks public exploit code, which surfaced in November. 

Nov. - Microsoft patches serious Windows kernel flaws: Vulnerabilities in several Windows kernel drivers could be remotely exploited to gain complete access to a system.

Microsoft said all the vulnerabilities can lead to either information disclosure or enable an attacker to take complete control of a system, install programs, view, change or delete data.

In its security advisory, Microsoft said the flaw used in a spate of attacks against corporate networks was an invalid pointer reference within Internet Explorer resulting in a memory corruption condition when exploit code forces the browser to attempt to access a freed object.

Security experts said the latest spate of attacks against corporate networks shows no new methods and little sophistication. Attacks of this nature have been ongoing for years and are a reminder that companies need to take a defense-in-depth approach and not rely solely on a specific security technology, said software security expert Roger Thornton, founder and chief technology officer of static analysis and software security vendor Fortify Software Inc. While it's nearly impossible to protect the entire corporate network from attack, tools are available to make it a lot harder for cybercriminals, Thornton said.

"If I ran a cyberwarfare unit and I wanted to get into your company, Microsoft Internet Explorer would be a vector I'd explore," Thornton said. "It's a big piece of code; Microsoft just has to make one mistake and I can get in."

Most attackers are choosing browser vulnerabilities, issues with widely-used Flash, Adobe Reader and Acrobat PDF applications, other Web interfaces and finally operating system errors, Thornton said. Attackers are also getting better at targeting individuals with savvy social engineering tactics. Most people use a social networking account and information is widely available helping cybercriminals craft convincing messages designed to trick users into visiting a website or download a file.

"Every country in the world is going to have some genuine security interest to know our secrets and I don't fault the Chinese or whoever for trying to get those secrets," Thornton said. "It kills me when these types of vulnerabilities happen to Microsoft because they really are working on the problem, but some things are slipping through."

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close