Microsoft To Fix Zero-Day IE Bug For Patch Tuesday Release
December 03, 2009 6:14 PM ET
Microsoft will fix 12 security flaws, including a critical Internet Explorer 8 zero-day vulnerability, with a total of six bulletins in its upcoming Patch Tuesday release.
The upcoming Patch Tuesday release, which Microsoft will issue on Dec. 8, covers flaws in numerous versions of Microsoft Windows, including Windows 7 and IE 8, as well as Office, including Project, Word and Work 8.5. Specifically, the affected software includes Windows 2000, XP, Vista and Windows 7, as well as Server 2003 and 2008, Office XP, and Office 2003.
The Microsoft December patch covers three flaws with the highest severity ranking of 'critical,' indicating that the vulnerabilities can be exploited by remote attackers who launch malicious code.
Among the critical patches is a fix for a zero-day IE flaw, affecting IE 8 and other versions, which under certain conditions, allows hackers to launch specially crafted malware to remotely infiltrate and completely take over a user's computer in order to steal sensitive financial information and login credentials.
"We know that customers are concerned about this issue and we are also aware that proof of concept code is available publicly," Microsoft said in its advance notification bulletin Thursday.
In a scenario where a Web-based attack exploits the IE flaw, a hacker would entice a victim to view a maliciously crafted Web page, typically, via a phishing attack or some kind of social engineering scheme contained in an e-mail. Attackers could also infect victims by infusing an existing legitimate Web site with malicious code that downloads malware onto a user's computer when they visit the compromised site.
Microsoft issued a security advisory Nov. 23, warning users about the IE bug, but maintained that thus far there were no known attacks in the wild exploiting the vulnerability.
Microsoft advised that users enable firewalls, apply all browser and OS updates and patches, and keep security products such as antivirus and antispyware up-to-date to reduce risk of attack.
In addition to the critical patches, Microsoft will also release three security bulletins labeled with the slightly less severe ranking of "important," for errors in multiple versions of Windows and Office that could lead to remote code execution or denial of service attacks.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
