............ Have a nice day............
USER MENU ID IS UNDEFINED IN FINACLE MIS SERVER   Date of Implementation of "VERY GOOD" Bench Mark for MACPs effect from 25.07.2016   Expected DA from Jan 2017 – 3% or 2% ?    One minute talk time for each Rupee in Airtel Payments Bank   AICPIN for October 2016 : Chances for 5% DA from January 2017   Central Government employees retiring from January 2017 to submit online application   Pre-Budget Views of Govt. Employees for inclusion in the Budget for the Year 2017-18: Confederation i.e. Scrap NPS, Minimum Wage Rs. 26,000 & Fitment Formula etc   On Salary Week, Banks Unlikely to Meet Demand for Extra 1 Lakh Cr   82 per cent ATMs dry because government used that money to pay its own employees   National Anthem Before Movie, Rules Supreme Court. Citizens 'Duty-Bound' To Show Respect    undefined

Sunday, 4 May 2014

Internet Explorer Users Warned: New Zero-Day Exploit Discovered


IE-logo

Microsoft has issued a Security Advisory warning Internet Explorer users of a targeted attack which exploits a previously unknown flaw to allow remote code execution. According to FireEye, the security firm credited with discovering the attack, all versions of Internet Explorer (v6 – v11) are vulnerable, although currently only versions 9 – 11 are being actively targeted.
The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.
Microsoft is yet to issue a patch for this vulnerability but, according to its advisory, is preparing to do so:
On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.


In the meantime, both FireEye and Microsoft have included methods in their reports which can be utilized to help mitigate the threat. Microsoft is urging IE users to download and install its Enhanced Mitigation Experience Toolkit (EMET). For more information on EMET and how it works I suggest reading through security expert Bran Krebs’ article here: Windows Security 101: EMET 4.0.
If the EMET solution appears a tad complex for less experienced users, FireEye has also included a couple of simple techniques which it claims “breaks the exploit”.
  • Enable Enhanced Protected Mode (only available in IE 10 & 11) – Internet Explorer>Tools>Internet Options>Advanced>Security
enhanced protected mode
  • Disable the Adobe Flash plug-in, the attack will not work without Adobe Flash – Internet Explorer>Tools>Manage add-ons>Toolbars and Extensions>All add-ons
disable flash
Operating from within a limited user account can also help limit any damage if the exploit does manage to get through. Of course, the simplest method is probably just to use an alternative browser, at least until Microsoft releases a patch.
Suggested Reading (sources):

UPDATE

Microsoft has now issued a security update to patch this vulnerability. The update will be delivered as per normal via Windows Updates – mine arrived several hours ago. This is a critical update, so if you haven’t enabled automatic updates, or performed a manual “check for updates”, now would be a good time to do so.
windows update
*XP USERS NOTE: Microsoft has also made this update available for XP.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)