27
Apr 14

Microsoft Warns of Attacks on IE Zero-Day

facebooktwittergoogle_plusredditpinterestlinkedinmail

Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site.

In an alert posted on Saturday, Microsoft said it is aware of  “limited, targeted attacks” against the vulnerability (CVE-2014-1776) so far.

Microsoft’s security advisory credits security firm FireEye with discovering the attack. In its own advisory, FireEye says the exploit currently is targeting IE9 through IE11 (although the weakness also is present in all earlier versions of IE going back to IE6), and that it leverages a well-known Flash exploitation technique to bypass security protections on Windows.

ie0daymitigationMicrosoft has not yet issued a stopgap “Fix-It” solution for this vulnerability. For now, it is urging IE users to download and install its Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help beef up security on Windows. Microsoft notes that EMET 3.0 doesn’t mitigate this attack, and that affected users should instead rely on EMET 4.1. I’ve reviewed the basics of EMET here. The latest versions of EMET are available here.

According to information shared by FireEye, the exploit also can be blocked by running Internet Explorer in “Enhanced Protected Mode” configuration and 64-bit process mode, which is available for IE10 and IE11 in the Internet Options settings as shown in the graphic above.

This is the first of many zero-day attacks and vulnerabilities that will never be fixed for Windows XP users. Microsoft last month shipped its final set of updates for XP. Unfortunately, many of the exploit mitigation techniques that EMET brings do not work in XP.

Tags: , , , , ,

100 comments

  1. This IE patch doesn’t even show up when I run Windows Update on a Vista computer I have. Seems to be something wrong with Windows Update on this Vista computer – it always shows fewer security patches than a Windows 7 computer I have. I doubt Vista has fewer security problems than Windows 7.

  2. You actually make it appear so easy along with your presentation however I find this topic to be actually something which
    I feel I would by no means understand. It seems too complex and extremely large for me.
    I am taking a look forward in your next post, I will try to get the dangle of it!

    For the best review please click the link to this website; click here

  3. too many IT departments are handcuffed by overlords who toe the “No one ever got fired for buying Microsoft” line. I remember when it was IBM. Of course I was running something the size of several refrigerators.

  4. Other IT department are handcuffed by the “you can upgrade the desktop OSes if you want, but you don’t have time because you are fighting fires all the time and we won’t give you an adequate budget to solve your problems” management style.

  5. That’s every IT department everywhere. If you aren’t making the company money, you’re only costing the company money and they want the cost to be as little as they can get away with. Learn to position yourself as a strategic enabler of profit and you’ll see new doors open up.

  6. “a strategic enabler of profit”

    Lol.


Read previous post:
Phishers Divert Home Loan Earnest Money

It looks like it's time to update my Value of a Hacked Email Account graphic: Real estate and title agencies...

Close