136

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer — What you need to know!

Microsoft has issued a security advisory for Internet Explorer due to a "zero-day" limited, targeted attack vulnerability it's found "in the wild". Versions of IE include Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. "Zero day" means it came without warning and "in the wild" means it's already being exploited. There's no mention of Windows Phone having the issues, but if you use Windows in general, it's something to be aware of, but not something to panic about. Here's why...

The exploit is a remote code execution. That means someone needs to trick you into going to a malicious website in order for it to work. What's more, according to Microsoft's security note:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

So, normal, prudent browsing practices should keep you safe. Don't run as administrator, don't click on links to websites you don't know and trust, and if you're at all concerned, default to Firefox or Chrome until Microsoft issues a security fix.

These types of exploits happen. Perfect code is almost impossible these days. From "goto fail" to "Heartbleed" exploits are going to keep getting found. The important thing is how the companies involved handle disclosing and fixing them, and how we keep ourselves safe in the meantime.

If anyone has any other security recommendations, add them to the comments!

Source: Microsoft

0
loading...
0
loading...
0
loading...
0
loading...

Reader comments

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer

136 Comments

Posts about a warning to users on a blog are written in a hurry, and that's how it should be, since they want as many people to be aware of the problem as fast as possible. On a post like that if you want to see if it's been edited properly you need to come back the next day and see if the errors are still there. If the errors are still there tomorrow then there really is a problem...

I agree with this, but there is no need to attack someone for pointing it out. You weren't in the wrong though.

Typos are typos and their supposed to be corrected. Unless your someone who lieks to see language deteriorate. Who would of taught proper spelling and grammer isn't needed in the digital age anymore. ;)

Are you kidding me. Typos' are not part of "modern day technology". As a matter of fact spell checking is a part of "modern day technology." All authors on this site should be writing their articles in Word before publishing. It would take care of all the issues with spelling and sentence structure. It would also make the site look more professional and lend it some more credibility.

Yeah, a lot of the articles have grammar issues. Since I'm addicted to WPCentral, I've just learned to ignore them and read it the way it's supposed to sound in my head.

IE11 (and 10for that matter) is super fast for me using windows 8. I've actually uninstalled firefox about a year ago BC of this.

I'm using 11 clean out the box and it is sluggish as anything. Brand new Win 8 laptop. This is desktop mode, not modern UI. Chrome still knocks spots off it and looks better.

What box did you take it out of? because I have zero issues with ie. It works fine one my windows phone, it works great on my surface, and it works perfectly on my PC. On a side note, because i do some web development i do have firefox just for testing, now that's a sluggish browser, i really hate using FF.

You have ZERO issues? Try this. Open web outlook for any institution. Try and change your signature for emails. IE11 can't even open Microsoft services, Chrome can. I love IE11 but this is criminal.

Our organization uses MS Exchange Server and we get to check our mails using OWA and guess what, it works best in IE. Infact if you use other browsers, you dont get the full functionality. It could be that your Exchange OWA is not updated to support IE11. We had this problem till sometime ago when older IE versions would open OWA with full functionality but IE11 wont. An update on the server side fixed this and I actually use Outlook 2013 only for tasks like Team Emails, advanced scheduling functions etc. Most of my emailing is now happening with OWA running in IE11.

I use Windows 8.1 and IE is definitely the fastest browser out. And comparing the 'look' of browsers... Seriously, theres like 1/10 of your screen for the browser and all of them 'look' almost identical... I don't get it.

Dialog boxes, tabs, notification windows.. just don't look right. I want to like it but in desktop mode it just doesn't cut the mustard. Even starting up takes a good 30 seconds. Maybe I should reinstall it? It came pre loaded on a new Acer V5.

Any PC you buy from a vendor, first thing you do is charge it, then wipe it. Gets rid of all the crap software vendors install. With Windows 8/8.1 you could try doing a full system restore, but I'm not sure if that would get rid of everything. To do this, go to the PC settings app>Update and Recovery>Recovery and click on "Remove Everything and Reinstall Windows". Will clean all the junk right out, or it should anyway.Will most likely give your new hardware a nice speed boost too.

Sounds like out of the box bloated it up. Try a fresh install. Its easy these days. It shouldn't run slugging at all on a new machine. My four year old 300$ laptop runs it fine. So something is up with the system/install.

Yes. I used to use Chrome, but Opera is so much faster than IE, FF or Chrome. At least for me it is.

Internet Explorer 11 sluggish on desktop mode? Not here on any of my Windows 8 devices. Chrome and Firefox on the other hand are bloated and sluggish.

Then your box is loaded up with other software interfering with the normal operation of IE, and probably Windows itself.

since IE 9 came out I haven't looked back, now am at IE 11 and am as happy as the day IE 9 came out, if there was IE for Android i would be using that too.

I was going to say almost the same thing: thank God then that nobody uses it! I don't know about speed. I think all browsers are fast on my connection. But the sheet crappiness of it!

The word "phone" doesn't appear in the warning so my guess is that it's Windows (not Phone) only, at least as currently disclosed.

Chrome is spyware itself but these kind of attacks also exist within Chrome. Just Bing it up ;) I wouldn't trust extensions; who knows what kind of data they're submitting or doing to your set-up.

By the way, the same AdBlock is now available for IE too :D, although personally, I prefer to use TPL within IE. Also, TPL allows you to subscribe to the blocking list created by the AdBlock team.

Chrome is the most logic choise, indeed. Instead of running a chance to be hacked with Internet Explorer, Firefox or Safari, with Chrome, you have 100% guarantie that you are being spied on by the browser itself, no worries for hacks anymore, the browser is a hack. Also, it saves passwords very easy, hand to access all of your secret passwords by anyone just with 3 clicks through the settings. Best. Browser. Ever.

 

/s

At some point was my default browser, but it always felt incomplete for some reason for me, i prefer the non-profit model from mozilla for my alternative choice of IE

wrong!!!.....opera uses chromium engine so does google chrome........google chrome is just chromium browser with google bloatware on it....

I love Opera. I always have going back to Windows Mobile 5. I'm not saying it's perfect, but it really is good. Its worthy of more praise/attention than it gets.

The only difference is, you are officially spied by the corporation! As their ongoing efforts of harvesting user data, Google profiles all your activities and sell it to the highest bidders: Ads agencies or Government agencies.

Corporations can't make billions each quarter doing clean ads business, and especially when all the products are free of cost. There is something seriously wrong with the equation. Think about it!

No fanboy conversation here, not from my part at least. For sure microsoft is not the best company in the world, microsoft love us etc etc. All of these companies have one final simple goal, its called profit. Now the fact that google seems more untrustworthy in the eyes of let's say a lot of people it has to do with their acts and policies. I just wish they were more ethical for final users cause they are indeed an innovative company with great portfolio. And you know what it's their arrogance as well, (If people doesnt want us to read their gmails they should't sent them in the first place).

So in short it's not that we woke up a day and said lets hate google, they did something wrong to create that feeling towards them.

Well its not what Microsoft led me to believe, its the general perception and unethical approach of making profit on you without your consent!

For instance, I registered an online exam and got a confirmation email in my Gmail inbox. After sometime I was start getting ads about the same exam organization everywhere (Gmail, YouTube, websites with ads). Did I sign for this? Certainly not. Chrome collects rather more information than the Gmail.

I get your point but imagine if they never used these information all the ads would be like the ones you see on piratesbay where it's porn and only porn in your face.

Well it seems that once again the coin has to sides, what are we willing to sacrifice for our convenience.

Not all people have the same priorities and concers about their privacy, hence we make our choices according to what we beleive is best for us

Or one can use Chromium portable or build from source if one is interested in the rendering engine without the Google bloatware / privacy issues. But even that is not as efficient as IE11, I must say.

Running TrendMicro Internet Security. Haven't seen any issues in a long long time using their software/services. Hopefully this one doesn't make it through.

Even though IE 11 is great for touch and is fast, I hate it as much as I did lots of years ago.

The are barely any extensions and that is plainly stupid in 2014.

I hope they'll let us install different browsers (different engines) on WP sometime this year, or at the next big update.

Chrome all day!

How is extension-less browsing stupid? Besides, Internet Explorer was the first browser to introduce extensions, the extension system has been there for years. Also, Chrome and Firefox are the only major browser that do support extensions as you want it, they are a minority. Not to mention that their mobile counterparts lack support for most of them too.

I'm now defaulting to chrome but I really like IE alot but the browsers UI isn't as good as chrome for me.

Maybe if I got the fav-bar and adblock working I would use IE11 more (I know/heard they are avaible but only alot of shitty malware sites popped up)

What do you mean? Just go to the official AdBlock website and there you go. For the favorite bar, what's wrong with right mouse click > Show favorite bar?

And then they want to change how people see internet explorer, this security problems always involve IE, it's impossible not to troll it

Maybe because Microsoft wants to be clear with their customers and admits it while others just hide things?

I find it a bit unlikely though that  these things only happens to IE and apple's safari. Both of these giant companies care about their reputation so they try to be as clear as possible.

I don't really know, just saying

Not a lot of people use IE anyways to make a difference if they stop using it when there is a problem. And most other browser creators tend to be faster at fixing their errors. So... Security threats are not that big of an issue? I babble, but it is a possibility

Although. This is probably serious if Microsoft did in fact go out and tell people that IE is facing a threat.
-- Bam --

Why do people keep spreading that bit of misinformation? There are still plenty of people who use IE. Contrary to popular belief the average person doesn't install the latest browser unless they see it advertised enough and they sure as heck don't use extensions with maybe an ad-block being the exception.

As oppose to the other browsers? (Over 25% is not over 50%) Where is the scale heavier? I'm not saying no one uses it. I am saying it holds the minority.
-- Bam --

So you are saying that because the scale is not weighed in favor of IE because there aren't as many people using it (though it's in the number 2 position) all the people who enjoy using it should just jump to another browser because there are more people using the other one? No offense but all browsers have security vulnerabilities, it is the nature of the beast, just some are more open about it than others. Very few, IE included, do nothing about browser-breaking bugs. I'd rather know when something comes up than to be left in the dark just so a company can maintain the appearance of being impervious to bugs/exploits.

That was a complete strawman... Never said that. You just don't like what I said "IE isn't as big as the rest." Not too hard to understand, is it?
Any who, my implication was that it is easier to let, say, 1 million users know that there is a problem..vs letting 50 million users know that there is a problem. (Just to be clear before another illogical fallacy comes up, I am not saying IE has 1 million users only.) You lose less when 1 million take a break from your product. If you rely on 50 million to use your product, you lose less from fixing the problem and never announcing it to EVERYONE.

Now before I hear more nonsensical distortions, this isn't an argument on opinion. This isnt even an argument. It is open minded possibility.
-- Bam --

Whatever you say. I'll not debate you on this because you are allowed your own opinions. If it pleases you to believe I disagree with you solely because you said "not many people use IE" then by all means do so. If it also pleases you to believe your earlier statement would be interpreted by a normal person in any other way than what I concluded it said then more power to you. I'll not get into a silly argument over browser market share or the like as it's pedantic.

You don't know how other people think. You cannot decide how people will interpret anything. Just curiosity though, can you read my statements again and make sure you didn't misunderstand what I said?
And to be fair.. Again, whenever someone says something that others don't like.. They will be challenged. And that's really why the latter misunderstands a point.
-- Bam --

Yes, you did say that. When you claim this stuff show facts, not just some random numbers you pull out of your ass.

Note the disclaimer at the bottom of the page:
Statistics Can Be Misleading
You cannot - as a web developer - rely ONLY on statistics. Statistics can be misleading.
Note: W3Schools is a website for people with an interest for web technologies. These people are more interested in using alternative browsers than the average user. The average user tends to use the browser that comes preinstalled with their computer, and do not seek out other browser alternatives.
Tip: Global averages may not be relevant to your web site. Different sites attract different audiences. Some web sites attract professional developers using professional hardware, while other sites attract hobbyists using old computers.
Anyway, our data, collected from W3Schools' log-files over many years, clearly shows the long term trends.
So yes, we are done here. :-)

that just says that results may vary depending in website/community. Does that make them wrong?

But Okay, I understand that and put it here knowingly of what it said.
So we agree to disagree?
Friends? :D
-- Bam --

F*ck, and now, all news are about IE and how dangerous is to use it. All my hard work at reinvindicating IE to people has just been useless at all.

They had an episode about the "Zero-Days" a few weeks back in NCIS LA.

Looks like I'll might go back to Safari ... Better safe than sorry.
Thanks for the heads up René & as always, good to see you here :)

I have to ask, does anyone else get weird lockups with IE occasionally? Happens to me ask the time after a Bing search leads me to Huffingtonpost.com for an article. Sometimes YouTube (especially today) but definitely Huffingtonpost. At work on IE 9 and at home on IE 11(DESKTOP)

In addition to what the article says, if you're on Windows 7 x64 or Windows 8, enable "Enhanced Protected Mode" (which blocks this exploit) and if possible, also enable "64-bit processes for Enhanced Protected Mode".  Or, stay in Metro IE, which since it always has EPM on, is just safer in general.

Love IE since IE 9. It's just as fast as chrome. Just deactivate any toolbars and add ons.
To check the impact of add ons, try the IE with no add ons

"Don't run as administrator, don't click on links to websites you don't know and trust, and if you're at all concerned, default to Firefox or Chrome until Microsoft issues a security fix."

True that! That's why I only used IE as the tool to download other browsers whenever I install Windows, and nothing else.

So would this affect IE running in Metro?

I'm curious to know the actual answer.  Because, from what I understand, Metro IE is quite a bit safer as it is much more restrictied and locked down.

 

I used to like IE6 just like XP and from the time IE7 came I avoided using IE and started using Firefox and it used to be good but recently its been very slow and also makes my system slow. I never liked Chrome cause it eats up more memory. I did not try IE11 after 8.1 update but on my Lumia it works like a charm. Sometimes these vulnerabilities are caused by Adobe flash player and Oracle java plugins.

Had beans for lunch today and personally I prefer brand 'x' over brand 'y' and so feel everybody should think like me. Just sharing ;)