Patch for IE hole to be released today

[nsane.forums]

Microsoft has announced that the patch for Internet Explorer is to be released this evening. According to first reports, active exploits using the hole have now appeared on publicly accessible web servers

View: Original Article

[tonyblair]

Interesting article. Thanks

Is Internet Explorer 8 protected against this exploit or not?

[Night Owl]

Yes, Internet Explorer 8 is protected. Just a few minutes ago I installed:

Cumulative Security Update for Internet Explorer 8 for Windows 7 for x64-based Systems (KB978207)

Installation date: ‎01/‎21/‎2010 3:24 PM

Installation status: Successful

Update type: Important

Security issues have been identified that could allow an attacker to compromise a system that is running Microsoft Internet Explorer and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this item, you may have to restart your computer.

More information:

http://go.microsoft.com/fwlink/?LinkId=179104

Help and Support:

http://support.microsoft.com

[DKT27]

Microsoft fixes 8 IE holes, including one used in attacks

Microsoft on Thursday issued a cumulative critical patch for Internet Explorer that fixes eight vulnerabilities, including a hole targeted in the China-based attacks on Google and other U.S. companies.

The security update is rated critical for all supported releases of IE 5, 6, 7, and 8, according to the advisory. The more severe vulnerabilities could allow remote code execution if a user views a malicious Web page using IE, it said.

This IE security update was already planned for release on the next scheduled Patch Tuesday (February 9), Jerry Bryant, senior security program manager at Microsoft, said in a blog post.

Microsoft has known about the hole for at least four months, after it was privately disclosed it to the company, Bryant said.

"When the attack discussed in Security Advisory 979352 was first brought to our attention on January 11, we quickly released an advisory for customers two days later," he wrote. "As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September."

Installing the IE update addresses the vulnerability across all applications, even those using the same dynamic link library and which allow active scripting--which were discovered to be possible attack vectors, he said.

Microsoft also scheduled a Webcast to discuss the bulletin for 1 p.m. PST.

Microsoft acknowledged the hole a week ago, two days after Google disclosed the attacks launched against it and what is now believed to be more than 30 other companies. In the attacks, only IE 6 was targeted, Microsoft said.

Exploit code for the hole was published to the Internet the day after Microsoft went public with the IE warning.

"Microsoft continues to see limited and targeted attacks against Internet Explorer 6 only," Bryant said in a statement. "However, Microsoft recommends customers deploy the security update as soon as possible to protect themselves against the known attacks."

For an attack to be accomplished, an attacker would have to lure an IE user to a Web site hosting malware that was written to exploit the hole in the browser. This could be done by using social engineering and including a link to the malicious site in an e-mail that looks like it is coming from someone familiar or contains important information. Once a computer is infected, an attacker could take complete control of it.

Internet surfers should have already updated from IE 6, which is nearly 10 years old, said Oliver Lavery, manager of the vulnerability and exposure research team at nCircle.

"IE 6 is fundamentally much less secure than IE 8, regardless of patching. Yet IE 6 still had the largest market share of any version of IE as of December 2009--at 20.99 percent," he said. "This has created a situation of systemic vulnerability in many enterprises as the software many of their employees use every day is fundamentally not very secure."

Meanwhile, Trend Micro and Symantec said on Thursday that they had identified new malware samples that exploit the IE vulnerability used in the Google attacks. One new exploit that is being hosted on hundreds of Web sites is detected by Symantec as Trojan.Malscript, Symantec said in a statement. TrendLabs researchers said in a blog post that they discovered that the new scripts targeting the IE hole are versions of JS_DLoader.

Websense reported on its blog that targeted attacks like those that hit Google and using the IE hole appear to have started during the week of December 20 and are ongoing to government, defense, energy and sectors, and other organizations in the U.S. and the United Kingdom. Victims are receiving targeted e-mails with malware that appears to be a data-stealing Trojan, according to Websense.

Also on Thursday, Microsoft warned of a hole in the 32-bit versions of Windows and offered information on a workaround until a patch was released.

Source - CNET

[Bizarre™]

Patched or not, my main browser will still be Firefox :D

[Night Owl]

Yes, long live Firefox!! :D

[DKT27]

I gurantee, within next month, you will see another windows update saying that critical IE flaw fixed in this update, updating is strongly recommended.

:lmao:

[Night Owl]

@DKT27: And with that there might be a Microsoft Silverlight critical vulnerability fixed in that update too. :lol: :lmao:

[Bizarre™]

No doubt :lmao:

By that time, Firefox will be :king:

[DreamHaters]

Urgh!

Had to restart my computer because of this patch.