Out-of-cycle IE patch may be imminent

By Bill Brenner, News Writer 01 Dec 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Chances are good Microsoft will release a critical fix for Internet Explorer before Dec. 13, its next scheduled patch release date. That's because malicious code -- most notably TrojanDownloader.Win32/Delf-DH -- is targeting a memory corruption flaw in the browser.

"This issue was originally reported to the public in May as being a stability issue that caused the browser to close," the software giant said in an updated advisory on its Web site. "Since then, new information has been posted that indicates remote code execution could be possible. We have also been made aware of proof-of-concept code and malicious software targeting the reported vulnerability."

In a separate advisory, Microsoft warned that TrojanDownloader.Win32/Delf-DH is targeting the flaw. "This Trojan is downloaded to a computer automatically when a user visits certain Web sites," Microsoft said.

Microsoft urged customers to visit its new Windows Live Safety Center and use the complete scan option "to check for and remove this malicious software and future variants." Meanwhile, the software giant said, "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

Scott Fendley, a handler for the Bethesda, Md.-based SANS Internet Storm Center, wouldn't be surprised if there is an out-of-cycle patch. "I think it is a safe bet that Microsoft will take appropriate steps to fix the problem as quickly as possible," he said on the center's Web site. Until then, he offered this advice:

1.) "Be vigilant. Know that a patch will be forthcoming hopefully within the next two weeks and be ready to deploy quickly," he said.

2.) If your organization can operate with one of the workarounds Microsoft has mentioned in [its advisory], "then I recommend mitigating your risk as much as possible," he said. "We all have at least one person who is a little too...uhm...liberal with browsing the Internet on company time. Think about it, that very person is probably shopping for Christmas presents right now on less-than-secure sites."

The vulnerability is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to the JavaScript 'window()' object and the 'body onload' tag. Attackers who exploit the flaw could take complete control of an affected system by convincing a user to visit a malicious Web page.

Tags: Security Patch Management,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary