Microsoft is warning of a zero-day exploit and other Microsoft news

On Tuesday, the company posted a security advisory stating Microsoft is investigating public reports of a vulnerability targeting Internet Explorer 8 and 9. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet ZERO-DAY ATTACKS: Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

All supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone,” but “if a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

With cyber crime hitting more than 500 million victims globally and costing $100 billion annually, it’s clear that security breaches are a problem very far from being solved.

Zero-days are just one part of the overall threat landscape, however virtually everyone is at risk from a zero-day attack. And the threat from zero-day vulnerabilities occurs long before vendor or public discovery, and remains active long after patches are released.

A zero-day vulnerability is a vulnerability that has only been discovered by hackers. The vendor does not yet know of the vulnerability and therefore has not developed a patch for it. In contrast, a general vulnerability is disclosed by the vendor who typically has a patch ready.

Other Microsoft news:

Last week, four of the 13 Microsoft-issued updates were yanked for causing nasty retargeting loop headaches for some customers. After installing the updates, some users were notified to install updates again, and then again, in a vicious circle, as if they had not previously installed them. Microsoft said there were also cases “where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM).” The company fixed the flawed patches and released new updates.

In the Microsoft good news category, Windows Phone 8 was given the FIPS 140-2 security thumbs up by the government. “FIPS 140-2 is a U.S. government security standard used to accredit the cryptographic algorithms that protect sensitive data inside products like smartphones. In all, Windows Phone 8 received accreditation for nine cryptographic certificates. If things go according to Microsoft’s plans, then Windows Phones will have a new virtual assistant in 2014. The Microsoft-flavored Siri is code-named “Cortana,” after “an artificially intelligent character in Microsoft’s Halo series who can learn and adapt.

Microsoft announced that Bing is moving on to “the next phase,” which is more than a new logo and user interface. “Bing is now an important service layer for Microsoft, and we wanted to create a new brand identity to reflect Bing’s company-wide role. The new look integrates the ‘One Microsoft’ vision both from a product perspective and visually.” This seems to squash rumors that Microsoft might kick Bing to the curb. You can preview the modern Bing here – http://www.bing.com/explore/newbing

 

Advertisements