Microsoft: Hole Exploit Endangers All Ie Versions

[Peaches]

December 12, 2008 12:41 PM PST

Microsoft: Hole exploit endangers all IE versions

Posted by Elinor Mills

An unpatched security hole in Internet Explorer that is being exploited affects all versions of the browser, making it more serious than originally believed when it was first publicized two days ago, Microsoft says.

Microsoft is investigating reports of attacks against a new vulnerability in IE but said in an update to a security advisory issued late on Thursday that all versions of IE are potentially vulnerable.

The company recommends setting the Internet zone security setting to "high" and using access control lists to disable Ole32db.dll to provide the most effective protection against an attack.

"Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems," Christopher Budd writes in the Microsoft Security Response Center blog.

Microsoft has seen several hundred detections of exploits from around the globe, though the sites taking advantage of the vulnerability appear to be hosted on Chinese domains, Microsoft said in a Microsoft Malware Protection Center blog.

"The exploit sites we've seen so far drop a wide variety of malware--most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack," the Malware Protection Center blog says. "We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the Internet underground."

full story here: http://news.cnet.com/8300-1009_3-83.html

[Peaches]

[b]Microsoft confirms that all versions of IE have critical new bug

It adds IE6 and IE8 Beta 2 to the list, recommends disabling .dll to stay safe

December 12, 2008 (Computerworld)

"The unpatched bug in Internet Explorer 7 (IE7) that hackers are now exploiting also exists in older versions of the browser, including the still-widely-used IE6, Microsoft Corp. said late yesterday.

Today, a Danish security researcher added that Microsoft's original countermeasure advice was insufficient and recommended that users take one of the new steps the company spelled out.

In a revised security advisory, Microsoft said research confirmed that the bug is within all its browsers, including those it currently supports -- IE5.01, IE6 and IE7 -- as well as IE8 Beta 2, a preview version that the company doesn't support through normal channels.

Users running any of those browsers on Windows 2000, XP, Vista, Server 2003 or Server 2008 are at risk, Microsoft said.

Even so, the company continued to downplay the severity of the threat. "At this time, we are aware only of limited attacks that attempt to use this vulnerability against Windows Internet Explorer 7," said the advisory.

Microsoft also spelled out the root of the problem, saying that the bug is in IE's data binding functionality and, contrary to earlier reports by independent security researchers, not in the HTML rendering code. "

full story here: http://www.computerworld.com/action/articl...tsrc=hm_ts_head