NEWS
An unpatched security hole in Internet Explorer that is being exploited affects all versions of the browser, making it more serious than originally believed when it was first publicised last week, Microsoft says.
Microsoft is investigating reports of attacks against a new vulnerability in IE but said in an update to a security advisory issued late on Thursday that all versions of IE are potentially vulnerable.
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
The company recommends setting the internet zone security setting to "high" and using access control lists to disable Ole32db.dll to provide the most effective protection against an attack.
Christopher Budd wrote in the Microsoft Security Response Center blog: "Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems."
Microsoft has seen several hundred detections of exploits from around the globe, though the sites taking advantage of the vulnerability appear to be hosted on Chinese domains, Microsoft said in a Microsoft Malware Protection Center blog.
"The exploit sites we've seen so far drop a wide variety of malware - most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; Trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack," the blog said. "We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the internet underground."
People visiting trusted sites could be affected as well from sites targeted by SQL injection attacks through which malicious code is injected into sites, Microsoft says.
A Microsoft spokesman said he could not say when a fix would come. The next Patch Tuesday is scheduled for 13 January.
Microsoft's updated advisory lists a number of mitigating factors: Protected Mode in IE 7 and IE 8 in Windows Vista limits the impact of the vulnerability; IE on Windows Server 2003 and 2008 runs in a restricted mode known as Enhanced Security Configuration that sets the security level for the internet to high; the attacker could only gain the same user rights as the local user; known attacks can not exploit the issue automatically through email.
Comments
There is 1 comment. Join the discussion
1. Matt H
IE and ALL other web browsers keep crashing under Vista, so well done on the security fix Microsoft, you've stopped the hackers by disabling PC Users web browsing capabilities!