Security Watch

Company Draws Out the Suspense over IE

Security firm says it has found more holes in the browser, but they're holding off on the specifics. Plus: the IE patch took some time; China denies responsibility over Google attacks.

• By Jabulani Leffall
• 01/26/2010

We've heard this story before. Apparently, there are new bugs in Internet Explorer and, of course, there's a company being coy about their discovery in order to advance discussions about its own products.

Less than a week after Redmond released a cumulative out-of-band patch for IE (meaning it touched all supported versions of IE on all supported Windows OSes), Core Security Technologies, a Boston-based security research shop, is claiming it found a "cluster" of remote code execution exploits in the browser.

Core Security researcher Jorge Luis Alvarez Medina said in numerous reports over the weekend that the so-called clusters of holes aren't bad by themselves but, if exploited, could do some serious damage.

According to Core Security, the incursion happens when a user clicks on a corrupt URL. Alvarez Medina said his company will elaborate on the many ways a hacker can invade an IE browser session at the upcoming Black Hat security conference in Washington, D.C. next week.

Core Security said it contacted Microsoft in 2008 about a similar problem, but hasn't yet contacted it about this latest issue. Naturally, Microsoft hasn't responded to these claims yet, but since IT security pros and Windows enterprise users have a week before the conference to guess what these exploits actually are, this is definitely a wait-and-see situation.

IE Patch Took Some Time
While we're waiting and seeing about those aforementioned IE bugs, here's some insight into just how long it can take to patch exploits.

In a blog post accompanying the release of the off-cycle IE hotfix last week, Microsoft revealed that it had known about the bugs since September 2009.

"When the attack discussed in Security Advisory 979352 was first brought to our attention on Jan. 11, we quickly released an advisory for customers three days later," wrote Microsoft spokesman Jerry Bryant. "As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September."

Whatever the case, security experts seem to be satisfied with how Microsoft responds with patches, particularly with IE, where cumulative, far-reaching hotfixes are common.
 
"Microsoft typically releases a cumulative Internet Explorer update every other month," said Jason Miller, data and security team leader for Shavlik Technologies. "February's patch day would mark the usual schedule for another cumulative release. Microsoft has shown with the [out-of-band] release that they are able to address critical vulnerabilities while still addressing other vulnerabilities that may or may not be publicly known."

China: Don't Look at Us
Predictably, the Chinese government is denying any complicity in or sanction of the recent security attacks against Google and scores of other companies.

As I wrote last week, a link between China and the attacks may be convenient given Google's recent comments against China's censorship laws but that such a link has "yet to be completely substantiated."

However, the prevailing opinion of several third-party security firms -- including Washington, D.C.-based Mandiant, which Google hired to investigate the attacks -- was that the attacks were far too sophisticated and organized to have originated from a band of rogue hackers looking for financial gain.

Time, as always, will tell. Stay tuned.