Microsoft admits critical security flaw - Security Experts worldwide: Stop using Internet Explorer
Published on 12/17/08 at 20:32:43 by On
Security
04/02/2012: Thanks God Web-APP CMS is NOT made in PHP
21/01/2009: Gary McKinnon, the "Alien Perl hacker" extradition case on hold.
10/01/2009: Content management systems and social networks privacy issues.
23/10/2008: Google introduces security warning alerts for open source CMS built sites.
20/10/2008: CMS Open Source security versus obscurity
SecurityMicrosoft admits critical security flaw - Security Experts worldwide: Stop using Internet Explorer

Microsoft is finally admitting that all its Internet Explorer versions released up to date, including its IE8 Beta version are vulnerable to a severe, remote security issue. While there is not much mentioned about the issue itself (which is not patched yet!) , one can read in Microsoft site about the issue
in a lengthy   security advisory memo in which Microsoft urges its users to change their “Internet zone security setting” to “high” and to run the browser in “Protected Mode.”



According to information obtained by the WebAPP security team, this issue is known since IE version 5 was released and was discovered after  years of intensive security research work by security experts in China.  The exploit allows a remote user to obtain admin privileges on any remote PC using Windows- 2000, XP and Vista by infiltrating via Internet Explorer  browser version from 5 to 8 by either exploiting a link clicked by a visitor on a malicious site or pushing a remote link by exploiting a local CMS system XSS vulnerabilities which are often common for PHP based platforms such as Wordpress and Drupal. While Google has been  offering some help in further researching on those CMS related vulnerabilities, there is still no solutions for remote XSS-browser specific  attacks.  Other attempts to filter or detect such attacks by major Antivirus or firewalls software's distributors have also shown so far to be fruitless.

It has been reported that over 10,000 sites [mostly] in China assist in facilitating these attacks while most of the machines that have been compromised so far were of gamers,  but financial and public machines were highly targeted to.

Computerworld suggests a tech-heavy breakdown of the exploit and the best way savvy surfers can disable its ability to affect their machines. But easier solution may just be to drop IE.  Internet security firm Trend Micro’s Rick Ferguson told the BBC that “if users can find an alternative browser, then that’s good mitigation against the threat.” Microsoft has come out against users switching to another browser, citing security flaws.  “It would not be advisable to send people from one vulnerability (in Internet Explorer) to multiple vulnerabilities,” Windows head at Microsoft UK John Curran told the BBC.

The WebAPP security team would strongly suggest  switching to Firefox, while using Internet Explorer in a virtually isolated working environment, turning on popup blockers (default with Google toolbar) as well as avoiding clicking unknown links in PHP based CMS portals.

1 comment, (7270 loetud) All Articles by, On
  Printer Friendly version - Microsoft admits critical security flaw - Security Experts worldwide: Stop using Internet Explorer   
Registreeru
Comments on this article: Comments on this article:

1. Dart In and Out Written on 01/12/09 at 09:18:46 by Searles





The comments are owned by the poster. We aren't responsible for its content.
Only registered members may comment on articles.