All versions vulnerable
By Elinor Mills
Published: 15 December 2008 08:32 GMT
An unpatched security hole in Internet Explorer that is being exploited affects all versions of the browser, making it more serious than originally believed when it was first publicised last week, Microsoft says.
Microsoft is investigating reports of attacks against a new vulnerability in IE but said in an update to a security advisory issued late on Thursday that all versions of IE are potentially vulnerable.
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
The company recommends setting the internet zone security setting to "high" and using access control lists to disable Ole32db.dll to provide the most effective protection against an attack.
Christopher Budd wrote in the Microsoft Security Response Center blog: "Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems."
Microsoft has seen several hundred detections of exploits from around the globe, though the sites taking advantage of the vulnerability appear to be hosted on Chinese domains, Microsoft said in a Microsoft Malware Protection Center blog.
"The exploit sites we've seen so far drop a wide variety of malware - most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; Trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack," the blog said. "We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the internet underground."
People visiting trusted sites could be affected as well from sites targeted by SQL injection attacks through which malicious code is injected into sites, Microsoft says.
A Microsoft spokesman said he could not say when a fix would come. The next Patch Tuesday is scheduled for 13 January.
Microsoft's updated advisory lists a number of mitigating factors: Protected Mode in IE 7 and IE 8 in Windows Vista limits the impact of the vulnerability; IE on Windows Server 2003 and 2008 runs in a restricted mode known as Enhanced Security Configuration that sets the security level for the internet to high; the attacker could only gain the same user rights as the local user; known attacks can not exploit the issue automatically through email.
Original article: Microsoft: Hole exploit endangers all IE versions from CNET News.com
You can also view updated jobs on my blog http://lnk.by/ctm Bug submission 3d Games company is looking to hire a QA Games Test Engineer. Testing PC ...
AntiMalware Researcher Graduate in computer sciences Experience in high-level programming languages (C, C++, C#) Knowledge of low level programming ...
You will have some QA / Testing experience and have exposure to Manual and / or Automated testingExperienced with Bug tracking Experience of ...
Agenda Setters 2008
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Naked CIO Naked CIO: Should you monitor staff? Somebody's watching you
Elinor Mills Why 1970s hackers had 'whiz kid' status Q&A: Kevin Mitnick - blackhat hacker turned good guy