Return to VNFAWING.com Website Return to Main Forum Index PageReturn to VNFAWING.com Website
:: Forum Index :: Zephyrnet Forums :: FAQ :: Search :: Memberlist :: Groups :: Register :: Profile :: Log in to check your private messages :: Log in ::
Serious flaw in Internet Explorer not fixed yet (AP)

 
Post new topic   Reply to topic    VNFAWING.com Forum Index -> Internet, Hardware, Networking, & Security Forum
View previous topic :: View next topic  
Author Message
CAG Hotshot

Admin, Site Owner, Developer, Webmaster
 

Rank: Admin, Site Owner, Developer, Webmaster

Joined: 12 Aug 2004

Posts: 16082

Post subject: Serious flaw in Internet Explorer not fixed yet (AP) Reply with quote
Quote:
Serious flaw in Internet Explorer not fixed yet (AP)

SAN FRANCISCO - Users of all current versions of Microsoft Corp.'s Internet Explorer browser might be vulnerable to having their computers hijacked because of a serious security hole in the software that had yet to be fixed Monday.

The flaw lets criminals commandeer victims' machines merely by tricking them into visiting Web sites tainted with malicious programming code. As many as 10,000 sites have been compromised since last week to exploit the browser flaw, according to antivirus software maker Trend Micro Inc.

The sites are mostly Chinese and have been serving up programs that steal passwords for computer games, which can be sold for money on the black market. However, the hole is such that it could be "adopted by more financially motivated criminals for more serious mayhem — that's a big fear right now," Paul Ferguson, a Trend Micro security researcher, said Monday.

"Zero-day" vulnerabilities like this are security holes that haven't been repaired by the software makers. They're a gold mine for criminals because users have few ways to fight off attacks.

The latest vulnerability is noteworthy because Internet Explorer is the default browser for most of the world's computers. Also, while Microsoft says it has detected attacks only against version 7 of Internet Explorer, which is the most widely used edition, the company warned that other versions are also potentially vulnerable.

Microsoft said it is investigating the flaw and is considering fixing it through an emergency software patch outside of its normal monthly updates, but declined further comment. The company is telling users to employ a series of complicated workarounds to minimize the threat.

Many security experts, meanwhile, are urging Internet Explorer users to use another browser until a patch is released.

_________________
CAG Hotshot
"FAF Shape Meister"
Forum Administrator
FAF/FA-2 Design team
TSH Member/Developer

-------- __@
----- _`\<,_
---- (*)/ (*)
~~~~~~~~~~~~~~~~



PostMon Dec 15 16:32:50 2008
View user's profile Send private message Send e-mail Visit poster's website
CAG Hotshot

Admin, Site Owner, Developer, Webmaster
 

Rank: Admin, Site Owner, Developer, Webmaster

Joined: 12 Aug 2004

Posts: 16082

Post subject: Reply with quote
Quote:
Microsoft issues emergency patch to fix IE flaw

Microsoft issued an emergency out-of-cycle patch Wednesday to prevent ongoing attacks from successfully exploiting an XML flaw in Internet Explorer.

The MS08-078 update corrects an XML processing error and affects all currently supported versions of IE running on Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.

Initial reports of attacks in the wild said that only IE 7 was targeted, but after further investigation, Microsoft extended its warning to include all versions of the browser. A group of Chinese security researchers admitted to mistakenly releasing the code in the wild. The exploit is being tied to the Chinese Knownsec security team, which wrote a blog post explaining the blunder.

Paul Henry, security and forensic analyst at patch management vendor Lumension Security, said that within a day of the flaw details being released, he was able to download proof-of-concept code.

"You try to give enough information to make people aware but occaisionally give too much information," Henry said.

No vendor is immune to exploit code spreading in the wild, Henry said. In addition to Microsoft, Mozilla and Apple issued updates recently, addressing serious browser flaws.

"The browser has become the gateway onto the network," he said. "Web based malware is a huge problem and people aren't patching their browsers."

Since the discovery of attacks in the wild on Dec. 11, Microsoft said that 1 in 500 Internet users may already be infected. The software giant said hackers are planting the exploit on websites using SQL injection techniques. A successful attack infects systems with the Downloader-AZN Trojan, which then connects to a remote website and downloads additional malware. Although attacks have been limited, security experts warned that if carried out successfully, they could give an attacker the same user rights as the local user, and ultimately the ability gain access to sensitive data.

The zero day was discovered just a day after Microsoft issued eight security bulletins to repair 28 flaws in its product line, including several serious flaws in Internet Explorer.

Eric Schultze, chief technology officer of patching vendor Shavlik Technologies, called media reports of the IE flaw overblown. Some called for users to switch to alternative browsers. The attack is no different than other zero-day flaws reported in the past, and now with a patch released users will be protected, he said.

"Those so called legit websites passing on this infected exploit have many more issues to deal with," Schultze said in a phone interview. "The attackers seemed to have taken a liking to this particular issue, actually hacking into Web servers to inject code and infect sites."

Prior to the patch release, Microsoft recommended several workarounds. Those that implemented them found that it broke functionality for some internal applications, Schultze said. Some security pros who implemented the workarounds will now have to deploy the patch and reverse them.

"In some cases they thought it was a serious enough threat to implement the workarounds anyway," he said. "It's a risk reward thing."

Danish vulnerability clearinghouse Secunia has given the flaw an extremely critical rating because it is being actively exploited.

This fix marks the second time in only two months that Microsoft has released a security patch outside of its monthly cycle. It usually issues patches on the second Tuesday of each month. Microsoft issued an out-of-cycle patch in October, correcting a dangerous remote procedure call (RPC) error. That flaw was also being actively exploited in the wild. Prior to that, Microsoft released a patch in April 2007, fixing a Windows ANI curser handling flaw.

_________________
CAG Hotshot
"FAF Shape Meister"
Forum Administrator
FAF/FA-2 Design team
TSH Member/Developer

-------- __@
----- _`\<,_
---- (*)/ (*)
~~~~~~~~~~~~~~~~



PostThu Dec 18 10:54:16 2008
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    VNFAWING.com Forum Index -> Internet, Hardware, Networking, & Security Forum All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls




VNFAWING Flight Sim Development Center,Inc. - VNFAWING.com™

Powered by phpBB © 2001 - phpBB Group