l****z
发帖数: 29846 | 1 Microsoft warns of IE zero day in the wild, all IE versions vulnerable
By Ms. Smith
Microsoft is warning of a zero-day exploit targeting Internet Explorer. On
Tuesday, the company posted a security advisory [1] stating "Microsoft is
investigating public reports of a vulnerability in all supported versions of
Internet Explorer. Microsoft is aware of targeted attacks that attempt to
exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9."
Microsoft issues Fix It workaround for new zero day targeting all versions
of IE [2]
The vulnerability is a remote code execution vulnerability. The
vulnerability exists in the way that Internet Explorer accesses an object in
memory that has been deleted or has not been properly allocated. The
vulnerability may corrupt memory in a way that could allow an attacker to
execute arbitrary code in the context of the current user within Internet
ZERO-DAY ATTACKS: Explorer. An attacker could host a specially crafted
website that is designed to exploit this vulnerability through Internet
Explorer and then convince a user to view the website.
According to Security Advisory 2887505 [1]:
In a web-based attack scenario, an attacker could host a website that
contains a webpage that is used to exploit this vulnerability. In addition,
compromised websites and websites that accept or host user-provided content
or advertisements could contain specially crafted content that could exploit
this vulnerability. In all cases, however, an attacker would have no way to
force users to visit these websites. Instead, an attacker would have to
convince users to visit the website, typically by getting them to click a
link in an email message or Instant Messenger message that takes users to
the attacker's website.
"All supported versions of Microsoft Outlook, Microsoft Outlook Express, and
Windows Mail open HTML email messages in the Restricted sites zone," but "
if a user clicks a link in an email message, the user could still be
vulnerable to exploitation of this vulnerability through the web-based
attack scenario."
From the bad to the ugly Microsoft category
Last week, four of the 13 Microsoft-issued updates [4] were yanked for
causing nasty retargeting loop headaches for some customers. After
installing the updates, some users were notified to install updates again,
and then again, in a vicious circle, as if they had not previously installed
them. Microsoft said [5] there were also cases "where updates were not
offered via Windows Server Update Services (WSUS) or System Center
Configuration Manager (SCCM)." The company fixed the flawed patches and
released new updates.
Some folks may say that was a fluke, but it also happened in August;
Microsoft had to pull security updates that caused functionality issues. The
company claimed it had not properly tested the patches. "Are we starting to
see a shift back to when people called Microsoft the necessary PITA [pain
in the ass]?" asked [6] Andrew Storms, director of DevOps at CloudPassage.
Good news from Microsoft
In the Microsoft good news category, Windows Phone 8 was given the FIPS 140-
2 security thumbs up by the government. "FIPS 140-2 is a U.S. government
security standard used to accredit the cryptographic algorithms that protect
sensitive data inside products like smartphones," wrote [7] the Windows
Phone blog. "In all, Windows Phone 8 received accreditation for nine
cryptographic certificates."
If things go according to Microsoft's plans, then Windows Phones will have a
new virtual assistant in 2014 [8]. The Microsoft-flavored Siri is code-
named "Cortana," after "an artificially intelligent character in Microsoft's
Halo series who can learn and adapt." ZDNet added [9], "Cortana, Microsoft'
s assistant technology, likewise will be able to learn and adapt, relying on
machine-learning technology and the 'Satori' knowledge repository powering
Bing."
Lastly, Microsoft announced that Bing is moving on to "the next phase [10],"
which is more than a new logo and user interface. "Bing is now an important
service layer for Microsoft, and we wanted to create a new brand identity
to reflect Bing's company-wide role. The new look integrates the 'One
Microsoft' vision both from a product perspective and visually." This seems
to squash rumors that Microsoft might kick Bing to the curb. |
|
