Microsoft Planning IE Patch Following Google Attack

Microsoft plans to release an out-of-band patch to plug the zero-day security hole exploited recently in attacks on Google and other companies.

George Stathakopoulos, general manager of Microsoft’s Trustworthy Computing Security group, announced that Microsoft would offer a timeline for the patch on 20 Jan. The company’s move follows news that France and Germany are encouraging users to shun Internet Explorer for now in favor of other browsers.

In addition, researchers from Vupen Security reported on 19 Jan. that the company had developed exploit code that could circumvent the DEP (Data Execution Prevention) mechanism in IE 8, which so far is not known to have been targeted by attackers.

However, Vupen CEO Chaouki Bekrar said the Vupen exploit is not publicly available and was distributed exclusively to IPS (intrusion prevention system), IDS (intrusion detection system) and anti-virus vendors that are members of the Vupen In-Depth Vulnerability Analysis and Exploits Service.

“We used in-house and undisclosed methods to bypass permanent DEP and reliably execute arbitrary code,” Bekrar said. “We first used and improved this method a few weeks ago when we exploited another Internet Explorer 8 vulnerability.”

The best defense against the exploit is to disable JavaScript, Bekrar said.

In the past few days, France and Germany have advised their citizens to switch from IE to other browsers as they await a patch from Microsoft. Attack code for the vulnerability meanwhile continues to appear on the Internet, though so far it seems to have only been used successfully in targeted attacks focused on IE 6.

“The recommendations from France and Germany seem to be an overreaction to the actual risk,” opined Andrew Storms, director of security operations at nCircle. “In my opinion, this reaction should be considered in the context of the contentious and litigious relationship that many EU countries have with Microsoft in general. This is a perfect example of people looking at something that’s happening in the threat environment and generalising the threat from an emotional reaction instead of really quantifying risk that is specific to their business.”

For its part, Microsoft is still recommending that users upgrade to IE 8 as they wait for a patch.

“We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time,” Stathakopoulos wrote on the Microsoft Security Response Center blog.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago