Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Blogs
    • Security Watch

    Microsoft to Fix an Internet Explorer Zero-Day Flaw

    By
    Sean Michael Kerner
    -
    March 7, 2014
    Share
    Facebook
    Twitter
    Linkedin
      security flaw

      It looks like at long last Microsoft will plug a zero-day flaw in its Internet Explorer (IE) Web browser March 11. That is, of course, the first Tuesday of the month and the time when Microsoft releases its monthly Patch Tuesday security update.

      Ahead of every Patch Tuesday, Microsoft always releases an advance notification for what is to come. Last month at this time, when the advance notification for February was issued, Microsoft indicated that there would be no IE flaws fixed in February. It turns out that the advance notification wasn’t a complete indicator of February’s patches, as Microsoft did, in fact, patch 24 IE flaws Feb. 11.

      As it turns out, though, even with the 24 patched flaws, Microsoft still missed at least one. On Feb. 13, the first public report about a new unpatched zero-day flaw in IE emerged. The flaw is formally known as CVE-2014-0322 and is a use-after-free memory flaw. In use-after-free exploits, an attacker is able to utilize legitimate areas of memory that should not be available.

      The flaw could enable an attacker to execute arbitrary code. Security firm FireEye, reported that the CVE-2014-0322 flaw is being exploited in the wild as part of an attack based on the U.S. Veterans of Foreign Wars’ Website.

      In the three weeks since the first disclosure of CVE-2014-0322, Microsoft has not issued an emergency patch for the IE flaw. The mitigations to date have included a “fix-it” tool to help users.

      Microsoft has also noted that the flaw does not affect IE 11, and if users simply migrate from IE 10 or previous versions of IE, they can be protected. Going a step further, Microsoft’s Enhanced Mitigation Toolkit (EMET) also can protect IE 10 users from the CVE-2014-0322 flaw. EMET provides an additional layer of protection to Windows applications.

      The problem with all of the mitigations that Microsoft has offered to date for the CVE-2014-0322 flaw is that none of them are automatically available to all regular Windows users and none of them were part of any default Windows Update.

      The simple reality for most Windows users is that they update when Microsoft tells them to update. The mechanism for updates is Windows Update, and if an update is not there, it might as well not exist for a large number of Microsoft users because they will just never know about it.

      However, the Patch Tuesday update is fully visible as a default update in Windows Update. When March 11 rolls around, most Microsoft users will finally be protected from against CVE-2014-0322.

      The timing of this month’s Patch Tuesday, however, doesn’t bode well for Microsoft IE users in general. The annual Pwn2own browser-hacking competition gets under way March 12. In every single year that contest has run, new zero-day flaws have emerged in IE.

      Hewlett-Packard, which runs the Pw2own event doesn’t just let zero-day flaws leak out from its event. Flaws first reported at Pwn2own are responsibly disclosed to the affected vendors first, giving them time to fix the issue. So while I have absolutely no doubt that a new zero-day flaw will emerge for IE on March 12, Microsoft will have some time to deal with it.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×