Microsoft Subnet An independent Microsoft community View more

Microsoft warns of IE zero day in the wild, all IE versions vulnerable

Microsoft issued a security advisory and a 'Fix it' for a zero-day exploit targeting Internet Explorer.

Microsoft is warning of a zero-day exploit targeting Internet Explorer. On Tuesday, the company posted a security advisory stating "Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9."

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet ZERO-DAY ATTACKS: Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

[ZERO-DAY ATTACKS: How to Fight Back]

According to Security Advisory 2887505:

In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

"All supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone," but "if a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario."

From the bad to the ugly Microsoft category

Last week, four of the 13 Microsoft-issued updates were yanked for causing nasty retargeting loop headaches for some customers. After installing the updates, some users were notified to install updates again, and then again, in a vicious circle, as if they had not previously installed them. Microsoft said there were also cases "where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM)." The company fixed the flawed patches and released new updates.

Some folks may say that was a fluke, but it also happened in August; Microsoft had to pull security updates that caused functionality issues. The company claimed it had not properly tested the patches. "Are we starting to see a shift back to when people called Microsoft the necessary PITA [pain in the ass]?" asked Andrew Storms, director of DevOps at CloudPassage.

Good news from Microsoft

In the Microsoft good news category, Windows Phone 8 was given the FIPS 140-2 security thumbs up by the government. "FIPS 140-2 is a U.S. government security standard used to accredit the cryptographic algorithms that protect sensitive data inside products like smartphones," wrote the Windows Phone blog. "In all, Windows Phone 8 received accreditation for nine cryptographic certificates."

If things go according to Microsoft's plans, then Windows Phones will have a new virtual assistant in 2014. The Microsoft-flavored Siri is code-named "Cortana," after "an artificially intelligent character in Microsoft's Halo series who can learn and adapt." ZDNet added, "Cortana, Microsoft's assistant technology, likewise will be able to learn and adapt, relying on machine-learning technology and the 'Satori' knowledge repository powering Bing."

Lastly, Microsoft announced that Bing is moving on to "the next phase," which is more than a new logo and user interface. "Bing is now an important service layer for Microsoft, and we wanted to create a new brand identity to reflect Bing's company-wide role. The new look integrates the 'One Microsoft' vision both from a product perspective and visually." This seems to squash rumors that Microsoft might kick Bing to the curb. You can preview the modern Bing, this "new face of search," here.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies