Microsoft issues advisory on Internet Explorer zero-day
By Robert Westervelt, News Editor, SearchSecurity.com
18 Jan 2010 | searchSecurity.in
A zero-day vulnerability in Internet Explorer was used by hackers in a recent spate of targeted attacks against Google, Adobe and other firms, according to an advisory issued by Microsoft late Thursday.
The software giant said it was cooperating with Google and other companies and providing information to investigators. The remote code execution vulnerability affects nearly all supported versions of IE running on nearly every version of Windows. IE 5.01 on Windows 2000 is not affected.
"Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time," Mike Reavey, the group manager at the Microsoft Security Response Center wrote on the MSRC blog. "Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution."
Attacks targeting specific corporate networks are becoming more prevalent, Reavey said, urging enterprises to deploy multiple layers of defenses to improve their security posture. Google and Adobe acknowledged in separate messages this week that their corporate systems had been targeted by hackers who used sophisticated social engineering tactics. McAfee said its researchers discovered the IE zero-day vulnerability during an analys
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By joining searchSecurity.in you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
TechTarget cares about your privacy. Read our Privacy Policy
is of the malware used in the attacks.
In its advisory, Microsoft said customers could mitigate the threat posed by the IE zero-day flaw by setting local intranet security zone settings to high and using protected Mode in IE 7 on Windows Vista and later. The higher security zone setting makes the browser check with the user before running ActiveX Controls and Active Scripting. In addition, Data Execution Prevention (DEP) can be enabled to help mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions, Reavey said.
"The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted.," Microsoft said in its advisory. "In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."
The flaw is exploited by setting up specially crafted content on an attack website. Microsoft said the attacker would have to get the user to visit the website by tricking them into clicking on a link within an email message.
"It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems," Microsoft said.