This blog post summarizes "Microsoft Security Bulletin 979352-ie 0-day vulnerability risk assessment. For more information or materials, see the bottom-most references in this blog.
In the next few days, I will spend some time writing an article about DepArticlePlease wait. Next, let's take a look.
Translated from this articleMicrosoft Security Response Center Blog Post"Further insight into Security Advisory 979352 and the threat landscape"
Hello everyone!
We wantMicrosoft Security Bulletin 979352We have made some in-depth analysis on the vulnerability issues reported in. What is related to this is that we are conducting a recent survey on Network Attacks against Google and other large enterprises. We know that there are many statements about this issue, and users have learned a lot about the current situation from various channels, but we want to provide some extra in-depth analysis.
First, we will provide the latest information on the threat situation: there are a lot of external guesses, so we will share with you the detailed information about the attacks that Microsoft sees through all monitoring systems. Second, we will point out and emphasize the protection measures that users should take. Finally, we will inform you of Microsoft's unremitting efforts to cope with the current situation and protect users.
in terms of the threat situation, we only learned a very limited number of attacks, these attacks are targeted at small subnets of enterprises. The attacks we have seen so far include public conceptual attacks Code , all of which are only valid for IE6 . Based on strict analysis of multiple attack sources, we haven't seen any target Successful Internet Explorer 7 and Internet Explorer 8 attacks (Note: although this vulnerability affects Internet Explorer 6/7/8, it is currently a public conceptual attack code, both only valid for IE6, for details, see Microsoft Security Bulletin 979352 ) . This may be related to improved security protection measures in the new version of IE and windows. You can go to Security Research and Defense blog see the detailed description. All in all, we do not see any large-scale attacks using any means, of course, there are no attacks against users at present.
we always pay attention to changes in the threat situation, make sure that you can take appropriate measures to protect yourself. For this reason, we recommend that you use IE6 and IE7 as soon as possible Upgrade to IE8 , the improved security measures in IE8 will benefit everyone. Users who use Windows XP SP2 must immediately upgrade to IE8 and enable Data Execution Protection (DEP: Data Execution Protection ), or upgrade to Dep enabled by default Windows XP SP3 . In addition, users should consider the deployment of the solutions and mitigation measures provided in the security notification.
In addition, although only a limited number of targeted attacks are detected, we are aware that the situation may change at any time. Therefore, we use the software Security Event Response Plan (Ssirp: Software Security Incident Response PlanMonitors the threat situation through multiple systems at all times, including the Microsoft Malware Protection Center (Mmp c: Microsoft Malware Protection Center), Customer service and support departments, and Microsoft's Active Defense Project (Mapp: Microsoft Protection ProgramAnd Microsoft Security Response Alliance (Msra: Microsoft Security Response Alliance.
We assure you that all our departments around the world are investigating and researching this vulnerability so as to provide high-quality security patches for widespread release.
We will continue to monitor the threat situation. Once any changes are detected, we will immediately inform you, orMsrc blogProvides daily updates.
Thank you!
George stathakopoulos
General Manager
Trusted Computing Security
* The post content is "based on the current situation". No warranties are made and no rights are granted *
Translated from this articleMicrosoft Security Research & Defense Blog Post"Assessing risk of IE 0day Vulnerability""
Yesterday, msrc releasedMicrosoft Security Bulletin 979352To remind users of the limited and complex attacks against IE6 users. Today, the attack sample has been published.
Before talking about the details, we need to clarify a question. The attacks we currently see, including public vulnerability exploitation methods, are allOnly Internet Explorer 6 users are affected.. As mentioned in the Security Bulletin, although the new version of IE will be affected by this vulnerability, the existing mitigation measures will make it much more difficult to exploit the vulnerability. We would like to share with you more information on vulnerabilities and known vulnerability exploits to help you better assess the risks of your organization.
Risks of different platforms
As far as we know, compared with the new version of IE and later versions of Windows, the risk of being exploited by vulnerabilities is greatly reduced, because the platform features are shown in the following table (note: this table does not include the server platform because browsing the network on the server rarely occurs ):
As you can see,Currently, the vulnerable client configuration is Windows XP running IE6. We recommend that you upgrade IE6 on Windows XP to the new version of Internet Explorer, and enable Dep at the same time.. The risks of other Platform Users are greatly reduced. We also recommend that Windows XP users upgrade to the new version of Windows.
More information about Vulnerabilities
This vulnerability is caused by Internet Explorer Memory Corruption. Attackers need to use JavaScript to copy, publish, and then reference a specially crafted file object model (DOM: Document Object Model) element. If attackers can implant the attack code into the memory, referencing a random address of the released memory will cause the attack code to be executed.
Multiple methods to prevent Code Execution
The vulnerability exists in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. All versions of Internet Explorer may crash after the attack code is opened. However, we have some measures to limit the attack to IE crash to prevent code execution:
-
- Disable javscript.Microsoft Security Bulletin 979352This work und is included. However, we also know that this solution will significantly affect the use of many web sites.
- Disable code execution for released random memory addresses. Dep: Data Execution Prevention prevents code execution that is not explicitly labeled as executable memory pages. Dep is a feature of the following versions of Windows: Windows XP Service Pack 2 and laterVersions: Windows Server 2003 Service Pack 2 and later. All Versions include Windows Vista, Windows Server 2008, and Windows 7. Dep is enabled for some platforms by default (see below for specific platforms ). For more information about DEP, see the two blog articles:Article 1,Article 2. (Dep is enabled by default on IE8 running on Windows XP Service Pack 3, Windows Vista Service Pack 1 and later, and Windows 7, therefore, users on these platforms do not need to use "Microsoft fix it" for reconfiguration..)
Windows VistaPrecautions for enabling Dep
Security notice lists the steps to enable Dep on IE7. To enable Dep on Windows Vista, you must run Internet Explorer with the Administrator account (right-click IE and select "Run as administrator "). After DEP is enabled, disable Internet Explorer, reSTART Internet Explorer, and then Browse by enabling dep. If you do not run Internet Explorer with the Administrator account, this option is gray and cannot be edited.
If you use Microsoft fix it to enable Dep on Windows Vista, the user interface of Internet Explorer is not displayed. However, after you reSTART Internet Explorer, you can useProcess ExplorerTo verify that DEP is enabled. "Microsoft fix it" ApplicationProgramWhen DEP is enabled by appcompat Shim, a registry key value is displayed on the Internet Explorer user interface.
Thank you
We are very grateful to Chengyun Chu for providing vulnerability utilization analysis and risk assessment help. We are also grateful to rob hensing for providing the DEP research and fixit4me MSI help. We are also grateful to Fermin J. Serna for its vulnerability analysis. Many Microsoft employees are working hard for it. Thank you!
-Jonathan ness, msrc Engineering
* The post content is "based on the current situation". No warranties are made and no rights are granted *
Translated from this articleMicrosoft Security Response CenterBlog posts"Security Advisory 979352-going out of band""
We want to update the Internet Explorer zero-day vulnerability threat situation and announce the following:Microsoft is about to release an emergency security patch to help users fix this vulnerability.
Through comprehensive monitoring of the threat situation, we found thatOnly a very limited number of targeted attacks. So far, what we seeSuccessful attacks only targetIE6Of. We continue to recommend usersUpgradeIE8The improved security measures can effectively protect everyone. We also recommend that you deploySecurity notice 979352.
Microsoft decided to release emergency security patches for the vulnerability, considering the degree of attention to this issue, the confusion of the user's information to protect themselves, and the increasing threat situation.
Considering the impact on users, we decided very carefully to release emergency patches. However, we believe that it is wise to release urgent patches. We will inform you of the release time of the patch tomorrow.
As always, we will continue to monitor the threat situation. Please pay attention to Microsoft's security response center (Msrc: Microsoft Security Response Center) To get the latest news.
Thank you!
George stathakopoulos
General Manager
Trusted Computing Security
* The post content is "based on the current situation". No warranties are made and no rights are granted *
Hello everyone, I'm Richard Chen.
Inform you in advanceMicrosoft plans to host the event in the early morning of March 13, Beijing time.We urgently released a long-standing IE Security patch to fix the zero-day vulnerabilities found. The highest level isSeverity Level.
The following is the full text of the advance notice. Please evaluate and understand the affected systems and related software first.
Http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx
Common users can use Windows automatic update, Microsoft Update, or Windows Update to receive and install patches to protect your computer.
Thank you.
Richard Chen
Greater China Software Security Project Manager
References:
1. Microsoft Security notice (979352)
2. [translation] Security Bulletin 979352 and threat situation analysis
3. [translation] ie 0-day vulnerability risk assessment
4. [translation] Security Bulletin 979352-urgent patch coming soon
5. [Special Note] Microsoft releases the out-of-band (ie urgent security patch) in advance.
6. Further insight into Security Advisory 979352 and the threat landscape
7. Security Research & Defense (information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance)