Zero day IE flaw exploited in targeted attacks. Microsoft releases temporary fix

  • 17 September 2013
  • 2 replies
  • 2 views

Userlevel 7
Badge +54
Microsoft has released an emergency workaround for users of Internet Explorer, to protect against a “limited number” of targeted attacks being specifically directed at IE 8 and IE 9 – but which could potentially affect all versions of the web browser.

According to a blog post by Dustin Childs, a group manager for communications in Microsoft’s Trustworthy Computing group, the security hole can be exploited when users visit a boobytrapped webpage:
"This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message. Running modern versions of Internet Explorer ensures that customers receive the benefit of additional security features that can help prevent successful attacks."
 
 
Full Article
 

2 replies

Userlevel 7
Badge +54
Critical Internet Explorer exploit code released in the wild.

Attack code that exploits a critical vulnerability in all supported versions of Microsoft's Internet Explorer browser has been publicly released.

Monday's release of a module for the Metasploit exploit framework used by security professionals and hackers could broaden the base of attackers who are capable of targeting the flaw. Until now, the bug has been known to be exploited in only a handful of highly targeted attacks aimed mostly at workers in Japanese government agencies and manufacturers. While the attack code has been available to anyone who knows where to find it, its inclusion in the open-source Metasploit could make it easier for some people to use.

Microsoft issued a temporary fix for the browser two weeks ago. The company, which is scheduled to release its next batch of security updates on October 8, hasn't said when it will issue a permanent patch.
 
Full Article
Userlevel 7
Badge +54
Hold in there, Internet Explorer peeps: Gaping zero-day fix coming Tues
 
Microsoft is preparing to close a wide-open security hole in Internet Explorer - a vulnerability state-backed spies are exploiting to mine organisations across Asia.

A update to fix the flaw is among four critical patches Redmond has lined up for the October edition of Patch Tuesday, due next week. Versions 6 through to 11 of the web browser are known to be vulnerable.

The use-after-free bug in Internet Explorer [CVE-2013-3893] allows attackers to execute arbitrary code on a victim's computer; a mark simply has to surf to a web page booby-trapped with JavaScript that triggers the flaw.

In fact, the bug itself is quite an interesting case study: modern Windows kernels attempt to randomise the layout of software in memory and mark the areas containing just data as non-executable, which in theory is supposed to make life extremely difficult for hackers.
 
Full Article

Reply