Microsoft issues advisory on Internet Explorer zero-day

By Robert Westervelt, News Editor, SearchSecurity.com 18 Jan 2010 | SearchSecurity.in

Digg This!     StumbleUpon     Del.icio.us

A zero-day vulnerability in Internet Explorer was used by hackers in a recent spate of targeted attacks against Google, Adobe and other firms, according to an advisory issued by Microsoft late Thursday.

The software giant said it was cooperating with Google and other companies and providing information to investigators. The remote code execution vulnerability affects nearly all supported versions of IE running on nearly every version of Windows. IE 5.01 on Windows 2000 is not affected.

"Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time," Mike Reavey, the group manager at the Microsoft Security Response Center wrote on the MSRC blog. "Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution."

Attacks targeting specific corporate networks are becoming more prevalent, Reavey said, urging enterprises to deploy multiple layers of defenses to improve their security posture. Google and Adobe acknowledged in separate messages this week that their corporate systems had been targeted by hackers who used sophisticated social engineering tactics. McAfee said its researchers discovered the IE zero-day vulnerability during an analysis of the malware used in the attacks.

In its advisory, Microsoft said customers could mitigate the threat posed by the IE zero-day flaw by setting local intranet security zone settings to high and using protected Mode in IE 7 on Windows Vista and later. The higher security zone setting makes the browser check with the user before running ActiveX Controls and Active Scripting. In addition, Data Execution Prevention (DEP) can be enabled to help mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions, Reavey said.

"The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted.," Microsoft said in its advisory. "In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

The flaw is exploited by setting up specially crafted content on an attack website. Microsoft said the attacker would have to get the user to visit the website by tricking them into clicking on a link within an email message.

"It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems," Microsoft said.

Tags: Vulnerability and patch management,  Windows and other OS security best practices,  Viruses, worms, spyware, and other malware,  Hacking countermeasures,  Application and Web threat defenses,  Business compliance management,  Enterprise risk management strategies,  Network and endpoint security tools and technologies,  Threat Monitor,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability and patch management Vulnerability management gets in-house treatment at AXA Business Services Gartner's server virtualization security risk list Clientless SSL VPN vulnerability and Web browser protection Cloud Security Alliance releases top cloud computing security threats RAM-scraping attacks are a rising -- but preventable -- threat Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results Network discovery and the Simple Network Management Protocol Best practices to secure wireless networks Another PDF attack targets Adobe zero-day vulnerability Windows and other OS security best practices How to perform an Active Directory health check 11 application security tweaks for a secure SDLC RAM-scraping attacks are a rising -- but preventable -- threat Configuring a Windows network infrastructure: Wired, wireless security Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft extends SDL program, adds Agile development template Protecting enterprise networks from new mobile application downloads First step in forensics: Create a bootable Windows environment CD Leveraging DLP to gain customer confidence: The Cognizant way Another PDF attack targets Adobe zero-day vulnerability Viruses, worms, spyware, and other malware Vulnerability management gets in-house treatment at AXA Business Services Gartner's server virtualization security risk list Clientless SSL VPN vulnerability and Web browser protection Cloud Security Alliance releases top cloud computing security threats Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look Configuring a Windows network infrastructure: Wired, wireless security A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary active man-in-the-middle attack  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary