Broadband Tech > Security > Security > [REVISED] MS Security Advisory 979352 - Vulnerability in IE

[REVISED] MS Security Advisory 979352 - Vulnerability in IE

quote:

---

Executive Summary

Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.

Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.

Mitigating Factors

• Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Affected Software

Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 8 for Windows Server 2003 Service Pack 2, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 in Windows 7 for 32-bit Systems
Internet Explorer 8 in Windows 7 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems

Non-Affected Software

Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4

Revisions

• V1.0 (January 14, 2010): Advisory published
• V1.1 (January 15, 2010): Revised Executive Summary to reflect invesigation of limited targeted attacks. Added Data Execution Protection (DEP) information to Mitigating Factors section. Updated "How does configuring the Internet zone security setting to High protect me from this vulnerability?" in the Frequently Asked Questions section.

---

Re: Microsoft Security Advisory (979352) - Vulnerability in IE

Yes this is critical since it is in-the-wild !
The suggested work-arounds would render IE useless on many sites, my suggestion for those using IE as a primary Browser is to surf as safely as possible, think before you click.
Keep all your security software updated and don't be shy to run more safety scans than you normally would.

The Microsoft Security Response Center (MSRC): »blogs.technet.com/msrc/archive/2···352.aspx

Mitigating Factors:
• Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.

reply to Smokey Bear

Re: [REVISED] MS Security Advisory 979352 - Vulnerability in IE

quote:

---

Microsoft Internet Explorer Arbitrary Code Execution
Secunia Advisory: SA38209
Release Date: 2010-01-15

Severity: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

---

reply to Smokey Bear
The Microsoft Security Response Center (MSRC)
Advisory 979352 Updated | January 15, 2010

quote:

---

Today we updated Security Advisory 979352 to let customers know that we are aware that exploit code for the vulnerability used in recent attacks against IE 6 users, has now been made public. Information on which versions of Internet Explorer are vulnerable and what customers can do to protect themselves is included in the updated Security Advisory.

Our teams are continuing to work on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out-of-band.

Additionally our Security Research & Defense team has written up a blog with additional technical details on the exploit, the vulnerability, mitigations and workarounds.

We continue to recommend customers review the information in the Advisory, implement the workarounds and mitigations, consider updating to Internet Explorer 8 which includes important protections not present in IE 6, and follow the information on our Protect Your PC website.

Jerry Bryant

Senior Security Communications Manager Lead

---

reply to Smokey Bear
"The dangerous Internet Explorer attack code used in last month's attack on Google's corporate networks is now public.

The code was submitted for analysis Thursday on the Wepawet malware analysis Web site, making it publicly available. By Friday, it had been included in at least one publicly available hacking tool and could be seen in online attacks, according to Dave Marcus, director of security research and communications at McAfee.

The attack is very reliable on Internet Explorer 6 running on Windows XP, and it could possibly be modified to work on more recent versions of the browser, Marcus said
...
The problem is serious enough that on Friday, Germany's federal IT security agency, the Federal Office for Information Security, advised users (in German) to use an alternative browser until Microsoft fixes the issue." »news.yahoo.com/s/pcworld/2010011···owpublic (empahsis added)

reply to Smokey Bear
Further Insight into Security Advisory 979352 and the Threat Landscape

Sunday, January 17, 2010 7:58 PM by MSRCTEAM

quote:

---

Hi All,

We wanted to provide you some insight into the vulnerability reported in Microsoft Security Advisory 979352, which is related to our ongoing investigation into the recently publicized attacks against Google and other large corporate networks. We understand that there is a lot of noise about this topic right now and we know that our customers are receiving a lot of information about this situation from a variety of sources, so we want to provide some additional insight.

First, we will provide an update on the threat landscape – there has been a lot of speculation, so we’ll share detailed information on what Microsoft is seeing in terms of attacks across all of our monitoring systems. Second, we’ll highlight what customers should do to protect themselves. Finally, I will provide an update on the continuing work at Microsoft to respond to this situation and help protect our customers.

In terms of the threat landscape, we are only seeing very limited number of targeted attacks against a small subset of corporations. The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6. Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time. This is likely due to improved security protections provided by newer versions of Internet Explorer and Windows as described in our recent Security Research and Defense Blog. In summary, we are not seeing any widespread attacks by any means, and thus far we are not seeing attacks focused on consumers.

That said, we remain vigilant about this threat evolving and want to be sure our customers take appropriate action to protect themselves. That is why we continue to recommend that customers using IE6 or IE7, upgrade to IE8 as soon as possible to benefit from the improved security protections it offers. Customers who are using Windows XP SP2 should be sure to upgrade to both IE8 and enable Data Execution Protection (DEP), or upgrade to Windows XP SP3 which enables DEP by default, as soon as possible. Additionally customers should consider implementing the workarounds and mitigations provided in the Security Advisory.

Additionally, even though we are only seeing limited targeted attacks today, we know that can change at any time. That is why through our Software Security Incident Response Plan (SSIRP), we actively monitor the threat landscape through our broad telemetry systems, including the Microsoft Malware Protection Center (MMPC), our Customer Service and Support group, and through our partners in the Microsoft Active Protection Program (MAPP) and the Microsoft Security Response Alliance (MSRA).

We want to assure you that we have teams working around the clock worldwide to develop a security update of appropriate quality for broad distribution to address this vulnerability.

We will continue to monitor this situation. Should we see any change in the threat landscape, we will update you as soon as possible, or otherwise provide you with daily updates here at the MSRC blog.

Thank you,

George Stathakopoulos
General Manager
Trustworthy Computing Security

---

quote:

---

Microsoft has acknowledged all recent versions of the program are vulnerable

---

reply to Smokey Bear
The Advisory was updated today

quote:

---

For today’s update we want to share some insight on the current threat landscape for Security Advisory 979352, some new resources we have published and the current status on producing a security update.

As we’ve previously reported, attacks remain targeted to a very limited number of corporations and are only effective against Internet Explorer 6.

We have not seen successful attacks on Internet Explorer 8. We continue to recommend customers upgrade to Internet Explorer 8 to benefit from the improved security protection it offers.
Additionally at this time, we have not seen any successful attacks against Internet Explorer 7. However, earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista. We are actively investigating, but cannot confirm, these claims.

---

And in related news:

Chinese government spokesperson Wi Phuc Yu has recommended that all web surfers in all Western Hemisphere nations use only Internet Explorer.

Sorry, but I can't seem to find the link right at the moment . . . .

reply to Smokey Bear

Attack on IE 0-day refined by researchers

»blogs.technet.com/msrc/archive/2···and.aspx

MS is going to issue an out of band patch for this exploit.

reply to Smokey Bear

Re: [REVISED] MS Security Advisory 979352 - Vulnerability in IE

Same old type of IE exploit

where can we download this patch?

it will posted as and when it has been finalized and will be available at the windows update site

reply to slajoh01
It's all in dp 's post
»Advance Notification for Out-of-Band Bulletin Release

reply to mysec
McAfee tool, Aurora Stinger, released yesterday, detects and repairs all known variants of Aurora.
»siblog.mcafee.com/cto/stay-tuned···e-patch/

Download here:
»vil.nai.com/vil/averttools.aspx
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson