Microsoft zero-day attacks target all versions of IE

By Robert Westervelt, News Editor 12 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft is warning customers that ongoing zero-day attacks against a flaw in Internet Explorer 7 now affect all versions of the Web browser.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Earlier attacks were only targeting IE 7, but the underlying vulnerability, an error in the way the browser processes XML, affects all currently supported versions of IE. Security experts are warning that the threat is serious because the vulnerability could be exploited by an attacker to gain the same user rights as the local user, and ultimately gain access to sensitive data.

"Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems," Christopher Budd, security response communications lead for Microsoft, wrote on the Microsoft Security Response Center (MSRC) blog.

Microsoft browser flaws: Microsoft acknowledges IE 7 zero-day attacks: The exploit was mistakenly released by a Chinese security team. Unpatched Internet Explorer 7 flaw under attack (Security Bytes blog) A new exploit for IE 7 is being used against fully patched Windows XP and Windows 2003 systems. Microsoft fixes critical flaws in Office, IE Dangerous flaws could allow an attacker to access sensitive files and gain complete control of a computer. More than two dozen flaws were patched.

In the updated advisory, Microsoft recommends setting the Internet zone security setting to high and using ACLs to disable Ole32db.dll. The change should lower the threat until a patch is released, Budd said.

Earlier this week, Verisign's iDefense security group said a group of Chinese security researchers may have mistakenly released the code in the wild. The exploit is being tied to the Chinese Knownsec security team, which admitted the mistake in a blog post.

Danish vulnerability clearinghouse Secunia has given the flaw an extremely critical rating because the flaw is being actively exploited.

In a McAfee Avert Labs blog post, security researchers Geok Meng Ong and Xiaobo Chen explained how the exploit contains a downloader that installs malware onto a victim's machine.

"We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system," the researchers said. "The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution."

The zero-day was discovered just a day after Microsoft issued eight security bulletins to repair 28 flaws in its product line, including several serious flaws in Internet Explorer. Bulletin MS08-073 addresses memory corruption errors in the way IE handles certain navigation methods. Microsoft gave the flaws a "1" on its Exploitability Index, warning that consistent exploit code is likely in the wild.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Microsoft warns that IE zero-day vulnerability causes data leakage Browser exploit kit probe highlights need for patching, vigilance Google to pay for Chrome browser vulnerabilities Attackers continue barrage of SEO attacks Microsoft emergency IE update to block latest corporate attacks Facebook, McAfee partner to fix social network security issues Firefox, Opera, Safari browsers top list of high risk software Mozilla fixes Firefox critical memory corruption errors FBI estimates rogue antivirus losses exceeding $150 million Adobe updates Flash Player, fixes seven serious vulnerabilities Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary