Saturday 70

Unpatched Internet Explorer

Filed under: Computers, Security — Tags: , , — zundel @ am

Switch to Chrome.

New Attacks Leverage Unpatched IE Flaw, Microsoft Warns

An Internet Explorer flaw made public by a Google security researcher two months ago is now being used in online attacks.

The flaw, which has not yet been patched, has been used in “limited, targeted attacks,” Microsoft said Friday

Public for two months, still not patched, and now exploited. So glad to see that they’ve started taking security seriously.

The attack is triggered when the victim is tricked into visiting a maliciously encoded web page […]

The flaw lies in the Windows mshtml.dll software library used by Internet Explorer, and affects all currently supported versions of Windows. [emphasis added]

Microsoft has released a Fixit tool that users can download to repair the problem, but has not said when, or even if, it plans to push out a comprehensive security update to all users.

Michal Zalewski […] said that he warned Microsoft about the flaw back in July. Microsoft maintains that it was unable to reproduce the problem until December.

July, August, September, October, November, December
December, January, February, March, …

Microsoft Security Advisory (2501696)

Did you receive notice of this vulnerability?

Best go patch your systems. You have to do it manually: it will not happen automatically through an update.
And they have the patch wizard available only in English.


1 Comment »

  1. A note on an MHTML vulnerability

    Based on this 2007 advisory, it appears that a variant of this issue first appeared in 2004, and has been independently re-discovered several times in that timeframe. In 2006, the vendor reportedly acknowledged the behavior as “by design”; but in 2007, partial mitigations against the attack were rolled out as a part of MS07-034 (CVE-2007-2225).

    It appears that the affected sites generally have very little recourse to stop the attack

    Comment by zundel — Saturday 70 @ am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: