Microsoft issues a patch to close a security hole in Internet Explorer linked to the recent attacks on Google and other companies. The update addresses seven other vulnerabilities as well.
Microsoft
issued an emergency fix Jan. 21 to patch the Internet Explorer
vulnerability at the center of a spate of cyber-attacks
against Google, Adobe Systems and dozens of other companies.
The update actually addresses a total of eight vulnerabilities
in IE, the most serious of which can be exploited for remote code execution.
The flaw at the center of the cyber-attack
on Google is CVE-2010-0249.
According to new findings from Symantec, the fix comes as a
new exploit targeting the vulnerability has begun to make the rounds on the
Internet.
"The new exploit is being hosted on hundreds of Websites
and Symantec detects the malicious HTML pages as Trojan.Malscript!html,"
said Josh Talbot, security intelligence manager for Symantec Security Response.
"The pages contain a shell code that bypasses a warning dialog shown after
downloaded file gets executed. The page replaces the code of 'MessageBeep API'
so that the Internet Explorer process which attempts to play a beep sound will
be terminated.
"After the termination of the process, it causes the
Internet Explorer window to be displayed again," Talbot continued. "The
shell code also contains code to avert API
hooking when it calls APIs. By doing this, some security products may miss some
monitored APIs."
In the end, a malicious file is downloaded, Symantec
reported.
Though Microsoft noted that some of its other applications
use mshtml.dll as a rendering engine and could be used as an attack vector if
they allow active scripting, the company said the IE update closes down all known attack vectors.
Six of the vulnerabilities are memory corruption flaws. The
remaining two include a cross-site scripting filter-handling vulnerability and
a URL validation vulnerability.
"According to the Microsoft Security Research &
Defense team, this update also address the DEP bypass vulnerability made public
yesterday, which exists in all current versions of Internet Explorer,"
said Don Leatham, senior director of business development at Lumension. "If
not bypassed, DEP can help in stopping the exploit code. Newer versions of
Internet Explorer running on Windows Vista and Windows 7 are less vulnerable.
"These versions of Windows have Address Space Layout
Randomization (ASLR) that provides an extra level of protection beyond DEP,"
Leatham added. "This is a clear, real-world example of the superior
security model implemented in Windows Vista and Windows 7, and should be a
wake-up call to organizations still running Windows XP to accelerate their
migration plans."
Email
Print
