Microsoft: Hole exploit threatens all IE versions
Published: 15 Dec 2008 09:58 GMT
An unpatched security hole in Internet Explorer that is being exploited affects all versions of the browser, making it more serious than originally believed when it was first publicised on 10 December, Microsoft has said.
Microsoft is investigating reports of attacks against a new vulnerability in IE but said in an update to a security advisory issued late on Thursday that all versions of IE are potentially vulnerable.
The company recommends setting the internet zone security setting to 'high' and using access control lists to disable Ole32db.dll to provide the most effective protection against an attack.
"Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems," Christopher Budd writes in the Microsoft Security Response Center blog.
Microsoft has seen several hundred detections of exploits from around the globe, though the sites taking advantage of the vulnerability appear to be hosted on Chinese domains, Microsoft said in a Microsoft Malware Protection Center blog.
Read this
Tackling the threat from compromised websites
Most web-based malware now comes from genuine sites that have been compromised, but security expert Mary Landesman wonders: are site owners and visitors are addressing the problem?
"The exploit sites we've seen so far drop a wide variety of malware — most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; Trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack," the Malware Protection Center blog said. "We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the internet underground," it added.
People visiting trusted sites could also be affected from sites targeted by SQL injection attacks through which malicious code is injected into sites, Microsoft says.
A Microsoft spokesman said he could not say when a fix would come. The next Patch Tuesday is scheduled for 13 January.
Microsoft's updated advisory lists a number of mitigating factors: Protected Mode in IE7 and IE8 in Windows Vista limits the impact of the vulnerability; IE on Windows Server 2003 and 2008 runs in a restricted mode known as Enhanced Security Configuration that sets the security level for the internet to high; the attacker could only gain the same user rights as the local user; known attacks can not exploit the issue automatically through email.
Credit: Microsoft: Hole exploit endangers all IE versions from CNET News
Did you find this article useful?
17 out of 20 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
5 comments
