[LINK] Aus Govt issues IE security warning
stephen at melbpc.org.au
stephen at melbpc.org.au
Tue Jan 19 19:57:41 AEDT 2010
Govt issues IE security warning
Emily Bourke ABC News www.abc.net.au/news/stories/2010/01/19/2795684.htm
The Australian Government is warning that people risk having their
computers infiltrated and passwords stolen unless they install temporary
fixes from Microsoft or use alternative browsers.
The Government says Microsoft has acknowledged all recent versions of the
program are vulnerable. It also says people should remember to regularly
update their security software and change passwords frequently ..
The Government says Microsoft has not solved the security glitch and
Australians should use alternative browsers.
Microsoft Security Advisory (979352)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: January 14, 2010 | Updated: January 15, 2010
Microsoft is investigating reports of limited, targeted attacks against
customers of Internet Explorer 6, using a vulnerability in Internet
Explorer. This advisory contains information about which versions of
Internet Explorer are vulnerable as well as workarounds and mitigations
for this issue.
Our investigation so far has shown that Internet Explorer 5.01 Service
Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack
4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8
on supported editions of Windows XP, Windows Server 2003, Windows Vista,
Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.
The vulnerability exists as an invalid pointer reference within Internet
Explorer. It is possible under certain conditions for the invalid pointer
to be accessed after an object is deleted. In a specially-crafted attack,
in attempting to access a freed object, Internet Explorer can be caused
to allow remote code execution.
At this time, we are aware of limited, targeted attacks attempting to use
this vulnerability against Internet Explorer 6. We have not seen attacks
against other versions of Internet Explorer. We will continue to monitor
the threat environment and update this advisory if the situation changes.
On completion of this investigation, Microsoft will take appropriate
action to protect our customers, which may include providing a solution
through our monthly security update release process, or an out-of-cycle
We are actively working with partners in our Microsoft Active Protections
Program (MAPP) and our Microsoft Security Response Alliance (MSRA)
programs to provide information that they can use to provide broader
protections to customers. In addition, were actively working with
partners to monitor the threat landscape and take action against
malicious sites that attempt to exploit this vulnerability.
Microsoft continues to encourage customers to follow the "Protect Your
Computer" guidance of enabling a firewall, applying all software updates
and installing anti-virus and anti-spyware software. Additional
information can be found at Security at home.
Data Execution Protection (DEP) is enabled by default in Internet
Explorer 8 on the following Windows operating systems: Windows XP Service
Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and
Protected Mode in Internet Explorer on Windows Vista and later Windows
operating systems limits the impact of the vulnerability.
In a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, compromised Web sites and Web sites that accept or host user-
provided content or advertisements could contain specially crafted
content that could exploit this vulnerability. In all cases, however, an
attacker would have no way to force users to visit these Web sites.
Instead, an attacker would have to convince users to visit the Web site,
typically by getting them to click a link in an e-mail message or Instant
Messenger message that takes users to the attackers Web site.
An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less affected
than users who operate with administrative user rights.
By default, Internet Explorer on Windows Server 2003 and Windows Server
2008 runs in a restricted mode that is known as Enhanced Security
Configuration. This mode sets the security level for the Internet zone to
High. This is a mitigating factor for Web sites that you have not added
to the Internet Explorer Trusted sites zone.
By default, all supported versions of Microsoft Outlook, Microsoft
Outlook Express, and Windows Mail open HTML e-mail messages in the
Restricted sites zone. The Restricted sites zone helps mitigate attacks
that could try to exploit this vulnerability by preventing Active
Scripting and ActiveX controls from being used when reading HTML e-mail
messages. However, if a user clicks a link in an e-mail message, the user
could still be vulnerable to exploitation of this vulnerability through
the Web-based attack scenario.
More information about the Link