[LINK] Aus Govt issues IE security warning

stephen at melbpc.org.au stephen at melbpc.org.au
Tue Jan 19 19:57:41 AEDT 2010


Govt issues IE security warning

Emily Bourke ABC News  www.abc.net.au/news/stories/2010/01/19/2795684.htm

The Australian Government is warning that people risk having their 
computers infiltrated and passwords stolen unless they install temporary 
fixes from Microsoft or use alternative browsers.

The Government says Microsoft has acknowledged all recent versions of the 
program are vulnerable. It also says people should remember to regularly 
update their security software and change passwords frequently ..

The Government says Microsoft has not solved the security glitch and 
Australians should use alternative browsers.

--

Microsoft Security Advisory (979352)

Vulnerability in Internet Explorer Could Allow Remote Code Execution

Published: January 14, 2010 | Updated: January 15, 2010
http://www.microsoft.com/technet/security/advisory/979352.mspx

Executive Summary

Microsoft is investigating reports of limited, targeted attacks against 
customers of Internet Explorer 6, using a vulnerability in Internet 
Explorer. This advisory contains information about which versions of 
Internet Explorer are vulnerable as well as workarounds and mitigations 
for this issue.

Our investigation so far has shown that Internet Explorer 5.01 Service 
Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that 
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 
4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 
on supported editions of Windows XP, Windows Server 2003, Windows Vista, 
Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.

The vulnerability exists as an invalid pointer reference within Internet 
Explorer. It is possible under certain conditions for the invalid pointer 
to be accessed after an object is deleted. In a specially-crafted attack, 
in attempting to access a freed object, Internet Explorer can be caused 
to allow remote code execution. 

At this time, we are aware of limited, targeted attacks attempting to use 
this vulnerability against Internet Explorer 6. We have not seen attacks 
against other versions of Internet Explorer. We will continue to monitor 
the threat environment and update this advisory if the situation changes. 
On completion of this investigation, Microsoft will take appropriate 
action to protect our customers, which may include providing a solution 
through our monthly security update release process, or an out-of-cycle 
security update.

We are actively working with partners in our Microsoft Active Protections 
Program (MAPP) and our Microsoft Security Response Alliance (MSRA) 
programs to provide information that they can use to provide broader 
protections to customers. In addition, we’re actively working with 
partners to monitor the threat landscape and take action against 
malicious sites that attempt to exploit this vulnerability.

Microsoft continues to encourage customers to follow the "Protect Your 
Computer" guidance of enabling a firewall, applying all software updates 
and installing anti-virus and anti-spyware software. Additional 
information can be found at Security at home.

Mitigating Factors: 

• Data Execution Protection (DEP) is enabled by default in Internet 
Explorer 8 on the following Windows operating systems: Windows XP Service 
Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and 
Windows 7. 
 
• Protected Mode in Internet Explorer on Windows Vista and later Windows 
operating systems limits the impact of the vulnerability.
 
• In a Web-based attack scenario, an attacker could host a Web site that 
contains a Web page that is used to exploit this vulnerability. In 
addition, compromised Web sites and Web sites that accept or host user-
provided content or advertisements could contain specially crafted 
content that could exploit this vulnerability. In all cases, however, an 
attacker would have no way to force users to visit these Web sites. 
Instead, an attacker would have to convince users to visit the Web site, 
typically by getting them to click a link in an e-mail message or Instant 
Messenger message that takes users to the attacker’s Web site.
 
• An attacker who successfully exploited this vulnerability could gain 
the same user rights as the local user. Users whose accounts are 
configured to have fewer user rights on the system could be less affected 
than users who operate with administrative user rights.
 
• By default, Internet Explorer on Windows Server 2003 and Windows Server 
2008 runs in a restricted mode that is known as Enhanced Security 
Configuration. This mode sets the security level for the Internet zone to 
High. This is a mitigating factor for Web sites that you have not added 
to the Internet Explorer Trusted sites zone.
 
• By default, all supported versions of Microsoft Outlook, Microsoft 
Outlook Express, and Windows Mail open HTML e-mail messages in the 
Restricted sites zone. The Restricted sites zone helps mitigate attacks 
that could try to exploit this vulnerability by preventing Active 
Scripting and ActiveX controls from being used when reading HTML e-mail 
messages. However, if a user clicks a link in an e-mail message, the user 
could still be vulnerable to exploitation of this vulnerability through 
the Web-based attack scenario.

--

Cheers,
Stephen



More information about the Link mailing list