Microsoft to issue emergency IE patch Thursday
Admits attacks also possible through Office docs, dodges question of DEP bypass
Computerworld - Microsoft will release its emergency patch for Internet Explorer (IE) on Thursday, the company said today as it also admitted that attacks can be hidden inside rigged Office documents.
"We are planning to release the update as close to 10:00 a.m. PST as possible," Jerry Bryant, a program manager with the IE group, said in an entry on the Microsoft Security Response Center (MSRC) blog.
Yesterday, Microsoft confirmed speculation that it would issue an "out-of-band" update for the IE vulnerability, but postponed specifying a ship date until today.
Microsoft also updated the security advisory it originally published last week when it acknowledged a zero-day IE vulnerability had been used by hackers to break into the corporate networks of Google and other major Western companies. Google has alleged that the attacks were launched by Chinese attackers. Subsequently, security experts have offered evidence that links the attacks to China.
The revised advisory also addressed claims made by researchers that it's possible to exploit the newer IE7 and IE8 browsers, and even circumvent Microsoft's recommended defensive measure, DEP (data execution prevention). However, the advisory waffled on whether DEP bypass was effective, neither confirming or denying the researchers' allegations.
"There is a report of a new Data Execution Prevention (DEP) exploit," Microsoft said in the advisory. "We have analyzed the proof-of-concept exploit code and have found that Windows Vista and later versions of Windows offer more effective protections in blocking the exploit due to Address Space Layout Randomization (ASLR)."
Even a follow-up post by Jonathan Ness, an MSRC engineer, on the company's Security Research & Defense blog declined to spell out whether the DEP bypass attacks were effective. Ness, however, did reiterate Microsoft's point that the only in-the-wild attacks seen thus far have been aimed at IE6.
He also touted the additional security that ASLR and IE's Protected Mode provide, and published a table that spelled out the current attack and threat situation for IE and Windows users.
Microsoft also admitted that the vulnerability could be exploited through malicious Office documents, a vector that had not been disclosed previously. "We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file," said Bryant. "To prevent exploitation, we recommend that customers disable ActiveX Controls in Microsoft Office."
Tomorrow's update for IE will patch all attack avenues, Bryant added, including the Office document vector.
The IE vulnerability has gained considerable attention because it has been connected to the attacks that broke into Google's corporate network. McAfee was the first to reveal that the attacks against Google had been conducted using exploits of the IE vulnerability.
The last time Microsoft shipped an emergency security update was July 2009, when it patched IE just hours before several researchers demonstrated a critical vulnerability at a security conference. In October 2008, Microsoft rushed out a patch for Windows; that vulnerability was later exploited by the notorious Conficker worm.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to firstname.lastname@example.org or subscribe to Gregg's RSS feed .
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!