New attack fells Internet Explorer
A hacker has posted attack code that could be used to break into a PC running older versions of Microsoft’s Internet Explorer browser.
The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim’s computer.
“Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7,” the company wrote on its Web site Saturday. “We expect that a fully-functional reliable exploit will be available in the near future.”
Microsoft fixes kernel, Office flaws
Microsoft released six updates for its software on its regularly scheduled patch day on Tuesday, fixing at least 15 security holes, including three vulnerabilities in the Windows kernel.
The update patches severe issues in the License Logging service and the Web Serivces on Devices API, as well as critical vulnerabilities in the Win32k kernel. The most severe issue, caused by the incorrect handling of font data, is rated Critical for Windows 2000, Windows XP and Windows 2003.
“The vulnerability allows for remote code execution, and the attack code can be embedded inside MS Office files or be hosted on Web sites,” Andrew Storms, director of security operations for network protection firm nCircle, said in a statement. “Simply browsing an infected Web site will compromise unsuspecting users … A lot of people will try to be the first to publicly post exploit code.”
Microsoft also patched nine vulnerabilities in Microsoft Office and a single vulnerability in Active Directory, the company’s identity-management and credentialing server.
Six of the vulnerabilities were considered to likely lead to functional exploit code in the next month, according to Microsoft’s exploitability ratings. The company predicted that eight of the issues might lead to unreliable exploit code, while a single flaw would be unlikely to be exploited.
Microsoft warns of Windows 7 security hole
Microsoft has confirmed reports of a security flaw in its Windows operating system that hackers could use to temporarily destabilize Windows 7 PCs. The software giant also acknowledged that blueprints for exploiting the flaw are now available online.
At issue is a so-called “denial-of-service” vulnerability in the component of Windows that handles the sharing of files and folders. Microsoft said attackers could use exploit code now publicly available to cause vulnerable systems to stop functioning or become unreliable. The flaw is present in Windows 7 and Windows Server 2008 R2, and does not exist in older versions of the operating system, the software giant said.
In a security bulletin published Friday, Microsoft said the vulnerability would not let attackers install malicious software or take control over an affected system, and that any ill effects from an attack on this flaw could be remedied by simply restarting the PC. In addition, the kind of computer network traffic that would be needed to exploit this flaw is easily blocked by using firewall software, such as the Windows firewall that ships with Windows 7 systems.
You must log in to post a comment.