Security Market Segment LS
Thursday, 04 November 2010 08:54

Another Internet Explorer zero-day vulnerability exploited in targeted attack

By

A number of organisations around the world have been targeted by an attack using a previously unknown vulnerability in Internet Explorer.


The latest security advisory concerning Internet Explorer involves an exploit that has only been seen one one website so far. According to Symantec, that was a legitimate site that had been infiltrated by the attackers and used to host their malicious content.

Symantec's Vikram Thakur said the attack took the form of an email purportedly about hotel bookings that was sent to "a select group of individuals within targeted organisations" containing a link to the page containing the exploit.

The exploit silently installed malware that created a backdoor on the victim computer and accessed a server in Poland to download small, encrypted files containing commands.

"Looking at the flow of commands, it is obvious to us that someone is entering these commands manually from a remote computer," said Thakur.

While the attackers specifically targeted Internet Explorer 6 and 7, but Microsoft has determined that the underlying problem is also present in IE 8 though mitigated by DEP (data execution prevention). DEP is enabled by default for IE 8, and can be enabled on earlier versions by using Microsoft's free Enhanced Mitigation Experience Toolkit (EMET).

How did the exploit work? See page 2.




"Internet Explorer 9 Beta users are not affected by this issue and any customers who wish to upgrade their browser to this version can do so freely at www.microsoft.com/ie," said a Microsoft spokesperson. However, few organisations are comfortable running beta software on production systems.

It appears that the targeted organisations (and Thakur said there "more than a few") generally weren't using IE 6 or 7, or they had already implemented mitigations such as DEP. Analysis of the log files from the compromised server showed that "very few" visitors had accessed the payload file. "We are not aware of any affected customers," said Jerry Bryant, group manager, response communications at Microsoft's trustworthy computing group.

The vulnerability itself involves CSS handling. It turns out that when faced with a certain combination of CSS tags, IE allocates insufficient memory to store them, potentially allowing the partial overwriting of a pointer. This situation is potentially exploitable using a heap spray attack.

According to the Microsoft Security Response Center engineering team, DEP blocks this type of attack, and attempts to circumvent it will be "highly unreliable (i.e. causing IE to crash)," particularly on systems supporting ASLR (address space layout randomisation).

Further protection against the vulnerability can be gained by applying a custom CSS. Instructions can be found in the advisory (see 'Workarounds').

Microsoft is developing a security update to dix the vulnerability, and it will apparently be released on a subsequent Patch Tuesday: "The issue does not meet the criteria for an out-of-band release," said Bryant.

 


Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.

CLICK HERE!

WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://www.itwire.com/itwire-update.html and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.

MORE INFO HERE!

BACK TO HOME PAGE
Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments