|
|
|
|
|
|
| Search | ||||||||||||
| Security News | ||||||||||||
|
||||||||||||
| IT Directory | ||||||||||||
|
||||||||||||
 | |
|
2010-03-30 16:29:35 | |
|
Since 2004, Microsoft has been issuing packages of vulnerability fixes on a monthly basis, on the second Tuesday of each month, which has since then been known as "Patch Tuesday". Once in a while, the company releases other important patches at other times when it deems it necessary. This is what happened today, as Microsoft rolled out a fix for a vulnerability advisory it had released on March 9th, as well as nine other vulnerabilities. The vulnerability is also know as CVE-2010-0806.
Not only is this patch worth noting because it is an unusual out-of-band fix, but also because it addresses issues relating to older software, some that Microsoft would probably be happy to stop supporting if it could. Mind you, the vulnerability fixed by this patch is serious, as it can allow a remote attacker to execute arbitrary code on a vulnerable machine. But while the vulnerability is generally rated critical, IE8 includes functionalities that can effectively mitigate attacks, namely Data Execution Prevention (DEP) and Addres Space Layout Randomization (ASLR). In fact, Microsoft does say on the security bulletin's page that "Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 are not affected by this vulnerability." So this comes down to say that Microsoft had to work out a special, unscheduled security update specifically for legacy software, Internet Explorer 6 and 7. That said, though, it seems there are concerns nevertheless as to IE8's real safety against vulnerabilities of this type. Actually, DEP is a workaround proposed by Microsoft to protect one's computer against the vulnerability, and ASLR is also a possible protection. Some think those are enough, but after last week's Pwn2Own hacking competition at the CanSecWest conference in Vancouver, doubts are legitimate. The thing is two researchers have been able, in a couple of minutes only, to circumvent both DEP and ASLR to attack Windows 7, one through Internet Explorer 8 and the other through Mozilla Firefox. But Pete LePage, a product manager for IE, while admitting that no protection will ever hold forever, said that "defense-in-depth features, including DEP and ASLR, continue to be highly effective protection mechanisms." On the other hand, the United States Computer Emergency Readiness Team (US-CERT) claims that "DEP should not be treated as a complete workaround, but DEP can mitigate the execution of attacker-supplied code in some cases." So, as it is usually the case in IT security, one should follow the available mitigation solutions, which today means enabling DEP and ASLR (or plainly upgrading to Internet Explorer 8 if possible), and hope for the best. When listening to the experts, it appears that this is the best one can do for now. To take LePage's example, we could picture computer security features as being a fireproof safe that protects our computer's valuables. "A stronger fireproof safe with several defense-in-depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last." Experts are divided on how significant the added time and protection are, though. | |
Reference 1: http://www.betanews.com/article/Its-not-dead-yet-Microsofts-outofband-IE6-fix-impacts-IE8/1269902411
Reference 3: http://www.kb.cert.org/vuls/id/744549
|
© 2006-2010 Heptacube Inc. |