Customer Relationship Management News NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
Home CRM Systems Customer Service Contact Centers Business Intelligence More Topics...
You are here: Home / Enterprise I.T. / Microsoft Issues Fix It for IE Zero Day
Gartner's #1 for endpoint backup
Microsoft Releases 'Fix It' for Zero-Day Vulnerability
Microsoft Releases 'Fix It' for Zero-Day Vulnerability
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
FEBRUARY
21
2014



Redmond has issued a fix for the so-called watering hole attack. Microsoft confirmed reports last week of an active campaign attack affecting Internet Explorer 10 users.

Since then, it turns out IE 9 users are also at risk, but anyone using older versions are immune. The good news: Microsoft is pushing out a “Fix it” solution called "MSHTML Shim Workaround" it says prevents the exploitation of this issue.

“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated,” Microsoft said in a security advisory.

“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site.”

Social Engineering at Play

There are mitigating factors. For example, IE on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration by default. This mode mitigates this vulnerability. But the risks are real for many.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” Microsoft said. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. Microsoft said compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.

“In all cases, however, an attacker would have no way to force users to visit these Web sites,” the company explained. “Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.”

A Fix is Not a Patch

We caught up with Tyler Reguly, manager of security research for Tripwire, to get his take on the release. He told us it’s important to make the distinction here between a Fix it solution and a patch. (continued...)

1  |  2  |  Next Page >

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY BE OF INTEREST
IT departments are embracing cloud backup, but there's a lot you need to know before choosing a service provider. Learn all the critical things you need to know by accessing the white paper, "5 Things You Didn't Know About Cloud Backup". Access the White Paper now.
MORE IN ENTERPRISE I.T.
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Dairy Queen Latest Retailer To Report Hack
Dairy Queen is known for its hot fries and sweet treats, but it just made cyber history as the latest victim of a hack attack. The fast food chain said that customer data at some stores may be at risk.
 
Lessons from the JPMorgan Chase Cyberattack
JPMorgan Chase is investigating a likely cyberattack. The banking giant is cooperating with law enforcement, including the FBI, to understand what data hackers may have obtained.
 
Who Is the Hacker Group Lizard Squad?
Are they dangerous or just obnoxious? That’s what many are wondering about the hacker group Lizard Squad, which tweeted out a bomb threat that grounded a flight with a Sony exec aboard.
 

Enterprise Hardware Spotlight
Intel Intros Lightning-Fast PC Processors
Call it extreme. Intel just took the covers off its first-ever eight-core desktop processor, which is aimed at hardcore power users who expect more than the status quo from their computers.
 
HP Previews ProLiant Gen9 Data Center Servers
Because traditional data center and server architectures are “constraints” on businesses, HP is releasing new servers aimed at faster, simpler and more cost-effective delivery of computing services.
 
Apple Set To Release Largest iPad Ever
Tech giant Apple seems to have adopted the mantra “go big or go home.” The company is planning to introduce its largest iPad ever: a 12.9-inch behemoth that will dwarf its largest existing models.
 

Mobile Technology Spotlight
Samsung Maps Its Way with Nokia's 'Here' App for Galaxy Phones
Korean electronics giant Samsung has opted to license Here, Nokia’s mapping app -- formerly known as Nokia Maps -- for its Tizen-powered smart devices and Samsung Gear S wearable.
 
Google Successfully Tests Its Own Delivery Drone
While top technology companies are engaged in an "arms race" to develop drones that can quickly deliver goods to anyone anywhere, Google has revealed it successfully tested its own version.
 
Will iPhone Finally Catch Up with NFC Mobile Payment Ability?
Apple's latest version of the iPhone may have a mobile wallet to pay for purchases with a tap of the phone. The iPhone 6 reportedly is equipped with near-field communication (NFC) technology.
 

Navigation
CRM Daily
Home/Top News | CRM Systems | Customer Service | Contact Centers | Business Intelligence | Sales & Marketing | Customer Data | CRM Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.