Monday, April 28, 2014

The Department of Homeland Security Issues Internet Explorer Warning

Amidst ongoing reports that a recently discovered zero-day exploit is being used to attack financial and defense organizations in the US via Internet Explorer 9, 10, and 11. The US Department of Homeland Security has issued a warning urging everyone to stop using IE until the exploit is patched!

US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system.

US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available.

For more details, please see VU#222929.

The vulnerability, which was first discovered over the weekend has been confirmed by numerous sources an advisory issued by Microsoft to be currently active in 'limited attacks' in the wild. While all versions of the web browser, IE 6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm FireEye, which first reported the flaw Friday.

The attack leverages a previously unknown "use after free" vulnerability -- data corruption that occurs after memory has been released -- and bypasses both Windows DEP (data execution prevention) and ASLR (address space layout randomization) protections, according to FireEye.

While the Microsoft security advisory offers some suggested actions there was no word as to when we'll see a patch from for the flaw. Given that we feel the best course of action would be to stop using Internet Explorer entirely and switch to Google's Chrome, Mozilla Firefox or another browser of choice (not one back-boned by IE of course).

In a separate set of attacks, security researchers have also warned of an active campaign that was targeting a critical vulnerability in fully patched versions of Adobe's ubiquitous Flash media player. These attacks threatened not only Windows based PCs but OS X and Linux as well causing Adobe too issue an emergency update.

The vulnerability was fixed in the newly released Flash Player for Windows and Mac and Flash Player for Linux. The Flash Player versions bundled with Google Chrome, Internet Explorer 10 on Windows 8 and Internet Explorer 11 on Windows 8.1, will get the fix automatically through the respective update mechanisms of those browsers.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you