Microsoft warns that IE zero-day vulnerability causes data leakage

By Robert Westervelt, News Editor, SearchSecurity.com 08 Feb 2010 | SearchSecurity.in

Digg This!     StumbleUpon     Del.icio.us

Microsoft issued a new advisory late Wednesday, warning Internet Explorer (IE) users of the potential for data leakage as a result of new publicly disclosed IE zero-day vulnerabilities.

The IE vulnerabilities could result in information disclosure for users running any version of the browser on Windows XP or users who have disabled Internet Explorer Protected Mode. The software giant said it is unaware of any IE zero-day attacks targeting the vulnerabilities.

An attacker could target the hole by setting up a drive-by attack on a webpage. Microsoft said malicious code could also be served up in certain Web advertisements.

Until a patch is issued, a temporary Microsoft Fix-it (direct download) has been made available for Windows XP users. It automates Network Protocol Lockdown and can be deployed by enterprises through their automated systems, Microsoft said. In addition, Microsoft also provided a guide for system administrators describing manual steps for deploying the temporary network protocol fix.

Microsoft said users running IE 7 or 8 on Windows Vista and Windows 7 are not vulnerable to the flaw because the default configuration puts users in IE Protected Mode.

Danish vulnerability clearinghouse Secunia gave the IE zero-day vulnerability a "moderately critical" rating. Secunia said an error results when the browser incorrectly handles redirections bypassing domain restrictions. It results in disclosure of some local files. A second flaw results when the browser handles a "dynamically created object," also disclosing certain files.

"Successful exploitation of the vulnerabilities requires that the full path to a target file is known prior to the attack," Secunia said in its advisory.

Patch issued for corporate attacks targeting IE 6 users.
Microsoft issued an emergency, out-of-band update last month addressing eight vulnerabilities in Internet Explorer. The update was the result of high-profile, ongoing attacks targeting corporate users of IE 6 on Windows XP.

The attacks were carried out against Google, Adobe Systems Inc. and more than 30 other companies. Microsoft said all the vulnerabilities can lead to either information disclosure or enable an attacker to take complete control of a system.

Tags: Vulnerability and patch management,  Application and Web threat defenses,  Windows and other OS security best practices,  Viruses, worms, spyware, and other malware,  Enterprise risk management strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability and patch management Clientless SSL VPN vulnerability and Web browser protection Cloud Security Alliance releases top cloud computing security threats RAM-scraping attacks are a rising -- but preventable -- threat What to do with network penetration test results Network discovery and the Simple Network Management Protocol Best practices to secure wireless networks Microsoft issues advisory on Internet Explorer zero-day Another PDF attack targets Adobe zero-day vulnerability Five security themes to watch in 2010 Microsoft doesn't rule out rushed patch for IIS zero-day vulnerability Application and Web threat defenses Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection 11 application security tweaks for a secure SDLC Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look A botnet and rootkit removal 101 What to do with network penetration test results Network discovery and the Simple Network Management Protocol Protecting enterprise networks from new mobile application downloads Microsoft issues advisory on Internet Explorer zero-day Windows and other OS security best practices How to perform an Active Directory health check 11 application security tweaks for a secure SDLC RAM-scraping attacks are a rising -- but preventable -- threat Configuring a Windows network infrastructure: Wired, wireless security Microsoft extends SDL program, adds Agile development template Protecting enterprise networks from new mobile application downloads Microsoft issues advisory on Internet Explorer zero-day First step in forensics: Create a bootable Windows environment CD Leveraging DLP to gain customer confidence: The Cognizant way Another PDF attack targets Adobe zero-day vulnerability

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary