Microsoft warns of IE zero day in the wild, all IE versions vulnerable

Microsoft issued a security advisory and a 'Fix it' for a zero-day exploit targeting Internet Explorer.

Microsoft is warning of a zero-day exploit targeting Internet Explorer. On Tuesday, the company posted a security advisory stating "Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9."

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet ZERO-DAY ATTACKS: Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

[ZERO-DAY ATTACKS: How to Fight Back]

According to Security Advisory 2887505:

In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

"All supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone," but "if a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario."

From the bad to the ugly Microsoft category

Last week, four of the 13 Microsoft-issued updates were yanked for causing nasty retargeting loop headaches for some customers. After installing the updates, some users were notified to install updates again, and then again, in a vicious circle, as if they had not previously installed them. Microsoft said there were also cases "where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM)." The company fixed the flawed patches and released new updates.

Some folks may say that was a fluke, but it also happened in August; Microsoft had to pull security updates that caused functionality issues. The company claimed it had not properly tested the patches. "Are we starting to see a shift back to when people called Microsoft the necessary PITA [pain in the ass]?" asked Andrew Storms, director of DevOps at CloudPassage.

Good news from Microsoft

In the Microsoft good news category, Windows Phone 8 was given the FIPS 140-2 security thumbs up by the government. "FIPS 140-2 is a U.S. government security standard used to accredit the cryptographic algorithms that protect sensitive data inside products like smartphones," wrote the Windows Phone blog. "In all, Windows Phone 8 received accreditation for nine cryptographic certificates."

If things go according to Microsoft's plans, then Windows Phones will have a new virtual assistant in 2014. The Microsoft-flavored Siri is code-named "Cortana," after "an artificially intelligent character in Microsoft's Halo series who can learn and adapt." ZDNet added, "Cortana, Microsoft's assistant technology, likewise will be able to learn and adapt, relying on machine-learning technology and the 'Satori' knowledge repository powering Bing."

Lastly, Microsoft announced that Bing is moving on to "the next phase," which is more than a new logo and user interface. "Bing is now an important service layer for Microsoft, and we wanted to create a new brand identity to reflect Bing's company-wide role. The new look integrates the 'One Microsoft' vision both from a product perspective and visually." This seems to squash rumors that Microsoft might kick Bing to the curb. You can preview the modern Bing, this "new face of search," here.

Like this? Here's more posts:

  • Wickr: Free texting app has military-grade encryption, messages self-destruct
  • Nuke data: BleachBit for Windows has 1300+ cleaners to help protect your privacy
  • School starts mass social media surveillance of students for their ‘safety’
  • Government-funded P2P surveillance fallout: Tell-all book, lawsuit, FTC complaint
  • Researchers develop attack framework for cracking Windows 8 picture passwords
  • 12 years after 9/11, are privacy and liberty casualties of the terrorism boogeyman?
  • Been groped by TSA agents? Former DHS official implied privacy advocates are to blame
  • Is Microsoft an enemy of the internet by helping the NSA undermine encryption?
  • Cautionary tales: Teen beauty queen and baby spied on via hacked cameras
  • Microsoft Research: Secret tags in 3D-printed objects, hooked to the Internet of Things
  • Gmail is the preferred email service of terrorists, claims former NSA chief
  • Implanted RFID chips to implanted invisible headphones: Modded bodies and privacy

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)