Microsoft Patches IE Bug

  /     /     /  
Publicated : 22/11/2024   Category : security

Microsoft Patches IE Bug


Microsoft plans to issue a patch Friday to deal with the latest in a barrage of zero-day exploits for Internet Explorer.


Following security researcher Eric Romangs September 16
discovery
of an Internet Explorer (IE) zero-day exploit, Microsoft, which officially
acknowledged
the vulnerability the next day and
later
offered a
workaround
, is set to deploy a patch on Friday. The remedy will arrive via Windows Update and is set to unroll around 10 a.m. Pacific Time. The company is hosting a live, online
Q&A
at noon to address any concerns.
The security fix caps a busy few weeks for Microsofts security teams. Earlier, the company generated moderate controversy when it initially said an exploit in Internet Explorer 10 would not be addressed until after the browser begins shipping with Windows 8 at the end of October. Microsoft later
reversed
the decision.
The new security risk affects IE versions 6,7, 8, and 9, and can allow attackers to seize control of a victims computer. Citing
StatCounter
, security firm Rapid 7, which strongly suggested
avoiding
the Microsoft browser until a fix was offered, noted that around two-fifths of North American Internet users, and one-third of users worldwide, are susceptible to attack. Concern was so widespread in some corners that the German government
discouraged
the use of afflicted IE versions.
[ For more on the IE 9 zero-day exploit, see
Microsoft Warns Of IE 9 Security Bug
. ]
Despite the aggressive fears,
nCircles
Andrew Storm said in an interview that theres been a lot of discussion, but it hasnt panned out to be an Internet pandemic. He noted that the malware seems intended for targeted attacks and that instances in the wild have so far been fairly limited.
Evidence suggests the malware originated in
China
, information that, along with a recent Symantec
report
, suggests well-funded organizations within the country--and perhaps even the government itself--are issuing cyber-attacks.
Storm said such speculation probably has some truth behind it but countered that definitive proof might not emerge any time soon. Right now, we have to guess quite a bit about whats going on, he asserted, noting that governments are unlikely to admit to such activities.
Storm also said its difficult to determine what the malware authors intended, as once word got out, the creators had to shelf their plans.
He lauded Microsofts quick solution, remarking that its come much quicker than anyone expected. He noted, however, that the company recently committed to doubling the resources dedicated to IE testing. Given that statement, he stated, its not surprising they were able to rush [an update] out.
Ryan Eldridge is co-founder of
Nerds on Call
, which he said repairs zero-day exploits on around 1,500 computers every week. Like Rapid7, Eldridges company
discouraged
users from using IE until the vulnerability had been addressed. In an interview, he explained that such caution is wise because the exploit will live on the Internet pretty much forever, noting that users who run unpatched browsers will be toast.
He echoed Storms assertion that the attackers have so far pursued specific goals rather than widespread mischief. Still, he cautioned, Once [the exploit] starts getting into the wild, other groups get hold of it and turn it to their own nefarious means. Indeed, with the vulnerability already integrated into Rapid7s Metasploit testing tool, the duplicitous code is available to those who want it.
Microsofts next browser could mitigate security concerns. Following Chromes lead, it will bundle Flash and its updates directly into IE 10, reducing the number of individual steps users must complete to protect their systems.
Regarding this decision, Storm said, Microsoft had to do it, noting that Chromes approach has included successes such as fixing Flash bugs before Adobes even released a patch.
Eldridge sees the Flash integration as a positive step. Microsoft has absorbed criticism for automating updates in the past, he noted, since some feel that users should make that choice. Nonetheless, he stated that removing often-negligent users from aspects of the security maintenance process could benefit the Internet as whole.
InformationWeek is conducting a survey on mobile device management and security. Take our
2013 InformationWeek Mobile Device Management and Security Survey
now. Survey ends Sept. 14.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Microsoft Patches IE Bug