Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Microsoft plasters IE8 hole abused in nuke lab PC meltdown

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as resolved.
mogs Microsoft plasters IE8 hole abused in nuke lab PC meltdown
Expert Contributor 9th May, 2013 17:25
Ranking: 2265
Posts: 6,266
User Since: 22nd Apr, 2009
System Score: 100%
Location: UK

Security stopgap follows shock US boffinry attack
By John Leyden
Posted in Security, 9th May 2013 11:38 GMT
Microsoft has issued a temporary fix for a high-profile Internet Explorer 8 vulnerability. This is the bug linked to recent targeted attacks against web pages accessed by nuclear weapons research teams at the US Department of Labor website.

The Fix It, released late on Wednesday, is designed to offer a temporary block against attacks based on the zero-day vulnerability ahead of a more comprehensive patch.

Applying the Fix will not require a reboot, a important factor in corporate environments. Microsoft is withholding details on what the Fix It actually does - at least until after its security gnomes forge a proper patch.

Redmond recommends that all customers using Internet Explorer 8 apply the stop-gap Fix It. Users of other versions of Internet Explorer are not affected and therefore need not worry.

"We have updated Security Advisory 2847140 with an easy one-click Fix It to help protect Internet Explorer 8 customers," said Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing in a statement.

"Customers should apply the Fix It or follow the workarounds listed in the advisory to help protect against the known attacks while we continue working on a security update. Internet Explorer 6, 7, 9 and 10 are not affected."

The Fix It is an easy-to-apply alternative to various workarounds detailed by Microsoft when it admitted there was a serious hole in its browser software late last week. Part of these defences rely on using Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET), which offers added protection against 0-days targeted at browsers on Windows systems that specifically tackle memory corruption-related security bugs.

IE 8 comes pre-installed on Windows 7 systems but users have the straightforward option of upgrading to IE 9 in order to stay out of harm's way, an option unavailable to laggards running Windows XP boxes.

A blog post by Wolfgang Kande, CTO at cloud security firm Qualys, commenting on the vulnerability and suggested defence tactics can be found here.

Stats from Qualys's BrowserCheck service suggest that 42 per cent of all systems are running IE 8. If successfully exploited, the 0-day vulnerability (CVE-2013-1347) in IE 8 yields full control of compromised Windows machines, allowing hackers to install malware such as the Poison Ivy Trojan.

The exploit has reared its ugly head on several other websites since its initial discovery on a US Department of Labor website on 1 May. Since then the exploit has also been bundled into Metasploit, the popular open-source penetration testing toolkit. ®

http://www.theregister.co.uk/2013/05/09/ie8_0day_s...

--

Post "RE: Microsoft plasters IE8 hole abused in nuke lab PC meltdown" has been selected as an answer.
Maurice Joyce RE: Microsoft plasters IE8 hole abused in nuke lab PC meltdown
Handling Contributor 9th May, 2013 17:51
Score: 11569
Posts: 8,888
User Since: 4th Jan 2009
System Score: N/A
Location: UK
A long way behind the official notifications available.

The Secunia advisory dated 5th May 2013 is here: https://secunia.com/advisories/53314/

The Microsoft information release dated was 3rd May & updated on the 8th May which gives all the information required to mitigate the reported vulnerability is here: http://technet.microsoft.com/en-us/security/adviso...

The shortcut to the fix-it is here. http://support.microsoft.com/kb/2847140

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
ddmarshall RE: Microsoft plasters IE8 hole abused in nuke lab PC meltdown
Dedicated Contributor 9th May, 2013 18:20
Score: 1198
Posts: 954
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Microsoft is withholding details on what the Fix It actually does

Not true actually. The details, including the code, are here: http://blogs.technet.com/b/srd/archive/2013/05/08/...

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+2
-0
joe schmoe RE: Microsoft plasters IE8 hole abused in nuke lab PC meltdown
Member 9th May, 2013 21:30
Score: 38
Posts: 139
User Since: 26th Nov 2008
System Score: 100%
Location: US
Last edited on 9th May, 2013 21:38
Using IE8 without the fix-it patch is at your own risk.

If you are running any version of XP, you cannot upgrade to a higher version of IE; IE8 is the max level available. Vista can go to IE9, Win 7 & Win 8 can go to IE10.

Reason this fix-it is so critical, is because, unlike other alternative browsers available, all versions of IE are tightly integrated with the operating system you use. Any damage here will affect the proper operation of a Microsoft operating system.

Alternative is to use Firefox, Chrome, Opera, etc., until the fix is made permanent; likely to occur on this upcoming Microsoft Tuesday.

[EDIT:] Note that uninstalling the emergency fix-it before you update at Windows Update on Tuesday is recommended by Microsoft.

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2018 AIS
Win 7 Home Pro SP1 Pentium D 2.8 3 GB RAM Avast 9.0.2018 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
mogs RE: Microsoft plasters IE8 hole abused in nuke lab PC meltdown
Expert Contributor 10th May, 2013 13:22
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
May 10th, 2013, 07:32 GMT · By Bogdan Popa
Microsoft to Patch IE8 Zero-Day Flaw Next Tuesday Microsoft announced this A.M. that Patch Tuesday would bring a total of 10 different security bulletins supposed to fix 34 vulnerabilities in Windows, Internet Explorer and Office.

Even though the company hasn’t mentioned it clearly, Patch Tuesday would most likely bring a fix for the recently-discovered Internet Explorer 8.0 zero-day flaw that has been used to attack a large number of servers, including computers used by United States’ nuclear weapon researchers.

“Bulletin 2 is for the recent IE 8 0-day and is rated “critical” for granting RCE and should be on the top of your list if you are on IE8, which, according to our BrowserCheck statistics, still accounts for about 43 percent of users,” Wolfgang Kandek, CTO of security firm Qualys, said.

Two updates are labeled critical and are meant to fix issues in Internet Explorer and Windows, with every single version of the operating system scheduled to receive security improvements.

http://news.softpedia.com/news/Microsoft-to-Patch-...

--
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft plasters IE8 hole abused in nuke lab PC meltdown
Handling Contributor 10th May, 2013 17:58
Score: 11569
Posts: 8,888
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 15th May, 2013 09:43
The Microsoft routine release notification for Windows "Patch Tuesday" which gives all the known details is here:

http://technet.microsoft.com/en-us/security/bullet...

EDIT - 15th May.

The patch for this vulnerability has now been released via Windows Update.

Details for those who have installed the Fixit Work around are here:

https://1ncuig.bn1.livefilestore.com/y2pHIkz00Ynum...

The Fixit can remain on a PC but for those who wish to remove it after the patch is successfully applied can use this link to the uninstaller:

http://blogs.technet.com/b/srd/archive/2013/05/08/...






--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability