2010年3月9日 星期二

FW: Microsoft warns of new IE bug; attacks under way

From: Sandi Meyer (MKT-US)
Sent: Wednesday, March 10, 2010 6:47:15 AM
To: Newsbank
Subject: FW: Microsoft warns of new IE bug; attacks under way
Auto forwarded by a Rule


Microsoft warns of new IE bug; attacks under way

It's the second zero-day vulnerability in the last 60 days

By Gregg Keizer

March 9, 2010 02:11 PM ET

Computerworld - Microsoft Corp. today warned of a critical vulnerability in Internet Explorer that is already being exploited by hackers; it was the company's second such admission in the past two months.

Internet Explorer 6 and its 2006 successor, IE7, contain a vulnerability that can be used by attackers to inject malicious code into a Windows PC. The oldest and newest of Microsoft's supported browsers, IE 5.01 and IE8, respectively, are not vulnerable to such attacks.

"At this time, we are aware of targeted attacks attempting to use this vulnerability," Microsoft acknowledged in an advisory posted simultaneously with two security updates that patched eight bugs in Windows and Office. Elsewhere, Microsoft said that the vulnerability had been publicly disclosed.

"It doesn't look like an exploit has been publicly posted," noted Andrew Storms, director of security operations at nCircle Network Security Inc., who added that Microsoft might have been made aware of the vulnerability either via a customer report or from one of the security companies that partner with it in the Microsoft Active Protections Program (MAPP). A report on the bug later today from the likes of Symantec or McAfee would indicate the latter, said Storms.

This is the second time in the last 60 days that Microsoft has admitted that hackers were exploiting an unpatched bug in IE. In mid-January, Microsoft said that a flaw in IE had been used to attack several companies' networks, including Google's and Adobe's. Microsoft patched that vulnerability, and seven others, later in the month when it issued an emergency update, often dubbed an "out-of-band" update.

As is its practice, Microsoft today did not spell out a timeline for patching the latest IE vulnerability, nor did it commit to an out-of-band fix.

Storms said it was too early to say whether Microsoft would rush a patch to users. "Generally, one of the indicators is if an exploit has gone public," he said, noting that as far as he knew, none had. "That often determines how quickly they'll patch. Of course, the way the Internet moves, [an exploit] could be posted in minutes, and then the story changes completely."

If Microsoft does not go out-of-band for this IE vulnerability, it might not issue a patch for it until May, Storms said, noting that the company will have to thoroughly test the repair job. April might be possible, he added, depending on how long Microsoft has known of the vulnerability and where it is in the fix cycle. "But then they wouldn't get a full QA cycle on the patch," he said.

Microsoft's next scheduled Patch Tuesday is April 13, five weeks from today.

Microsoft listed several recommended actions that users of IE6 and IE7 can take to defend themselves in lieu of a patch. They include modifying access to the "iepeers.dll," disabling scripting in the browsers and enabling DEP (data execution prevention).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter@gkeizer or subscribe to Gregg's RSS feed Keizer RSS. His e-mail address is gkeizer@ix.netcom.com.

Read more about security in Computerworld's Security Knowledge Center.

Sign up for the Computerworld Security newsletter.



From: Computerworld Wrap-Up [mailto:computerworld_newsletters@cwonline.computerworld.com]
Sent: Tuesday, March 09, 2010 1:50 PM
To: Sandi Meyer (MKT-US)
Subject: Microsoft warns of new IE bug; attacks under way



Microsoft warns of new IE bug; attacks under way | Worldwide poll: 4 of 5 call Internet access a basic human right



Computerworld Wrap-Up

Forward this to a Friend >>>





Cisco unveils next Internet core router
Cisco Systems introduced its next-generation Internet core router, the CRS-3, with about three times the capacity of its current platform. Read More


DirectAccess and UAG: Better Together
Here are some of the key reasons why you would want to run Unified Access Gateway with DirectAccess Click to continue

In this Issue

size=2 width="100%" noshade color="#aaaaaa" align=center>


Is Your Data Costing You A Fortune?
According to SNIA, 68% of all data is dormant 90 days after its creation. That means the majority of data residing on the most expensive storage is never accessed. Read ESG’s opinion on why investigating the benefits of dynamic, intelligent tiered storage capabilities that addresses both block and file tiering delivers tremendous business value. Read More

Microsoft warns of new IE bug; attacks under way
In its second such admission in the past two months, Microsoft today warned of a critical vulnerability in Internet Explorer that is already being exploited by hackers. Read More

Worldwide poll: 4 of 5 call Internet access a basic human right
A study by BBC World service found that four-fifths of adults around the world believe that Internet access is a fundamental human right. Read More

Microsoft skips patch for PowerPoint add-on
Microsoft fixed eight flaws in Windows and Office today, but passed on patching one Windows component because it cannot be automatically updated. Read More

P&G's clout with HP reaches to the CEO's office
A Proctor & Gamble IT executive talks about the company's mega outsourcing pact with Hewlett-Packard and about how the consumer products company uses simulation to find ways to increase sales. Read More

Review: FileMaker Pro 11 adds new features to a popular database
This latest version of the popular database app adds charting, auto-recurring imports and a quick search box. Is it worth an upgrade? Read More

Verizon-AT&T LTE battle heats up
The simmering marketing battle between Verizon Wireless and AT&T over whose LTE network is first and best promises to explode in the coming months, analysts say. Read More

Navajo Nation may get cutting-edge LTE network
If a pending federal grant is approved, one of the first LTE (Long-Term Evolution) wireless broadband networks in the U.S. will be built across 15,120 square miles of desert. Read More

HP: Chinese rivals used stolen parts to make copy-cat ink cartridges
HP has accused a Taiwanese maker of printer ink cartridges with using stolen HP parts to make knock-offs and sell them in the U.S. through outlets such as Amazon.com. Read More

REPORT: Neustar

Reliability of Managed DNS for BuyOnlineNow
This case study details the migration of this major online store to the UltraDNS Managed Services. "We haven’t had a single second of outage time." Learn More

IBM CEO's pay hit $21.2 million in 2009
IBM CEO Sam Palmisano’s bonus fell 14% in 2009, but his stock awards rose 11%. His total compensation is up slightly compared to 2008. Read More

Chinese companies plan tablet PCs amid Apple iPad hype
Several Chinese companies have jumped on the tablet PC bandwagon as buyers await the sale of Apple's iPad, possibly presaging wide imitation of the Apple device in China. Read More

Intel sees 2012 deployment for mobile WiMax Release 2
Chip giant Intel, a major backer of the movement to provide mobile WiMax wireless broadband to Internet users around the world, expects the next major release of the technology to be deployed starting in 2012, an executive said Tuesday. Read More

LifeLock to pay $12M to settle FTC, states' complaint
LifeLock, an Arizona company promising customers protection from identity theft, has agreed to pay $12 million to settle charges that the company overstated its benefits and used "scare tactics" to gain subscribers. Read More

Malware discovered on HTC Magic phone
A Panda Security employee discovered three malware programs on a recently purchased HTC Magic phone when it was plugged into a Windows computer. Read More

Microsoft researcher wins Turing Award
The Association for Computing Machinery has awarded the 2009 A.M. Turing Award to Charles P. Thacker, for his work in pioneering the networked personal computer. Read More

Steven J. Vaughan-Nichols: The Linux desktop is already here
It's 2010 and some people still think the Linux desktop is a non-starter. Please. Buy a clue; you're all Linux desktop users now. Read More

Robert L. Mitchell: Whiz kid weighs in on Windows 7
His father's company is still evaluating Windows 7, but Xavier Dominicis, 11, says if her were CIO he'd give the OS the go-ahead. Read More




Nominate your data center, infrastructure, virtualization, cloud or storage case study for SNW’s Best Practices Awards Program. Submission deadline: Friday, March 12, 2010, 5:00 pm (eastern).


Search multiple listings now and get new job alerts as they are posted.


The Sarbanes-Oxley full employment act

This IT pilot fish knows the support drill cold -- and it takes HOW MANY people?



Do You Tweet?
Follow everything from Computerworld.com on Twitter @computerworld.

You are currently subscribed to computerworld_dailynews as SANDI_MEYER@trendmicro.com.

Unsubscribe from this newsletter | Manage your subscriptions | Subscribe | Privacy Policy

If you are interested in advertising in this newsletter, please contact: bglynn@cxo.com

To contact Computerworld, please send an e-mail to online@computerworld.com.

Copyright (C) 2010 Computerworld, 492 Old Connecticut Path, Framingham, MA 01701

** Please do not reply to this message. If you want to contact someone directly, send an e-mail to online@computerworld.com. **