Security Watch

Thankful for a Light November Patch Load

Microsoft's November patch count is the lowest it's been in nearly four months, so IT pros have something to be thankful for heading into Thanksgiving: a light security update rollout.

Before you start comparing turkey recipes, consider this: There is still a big, in-the-wild flaw in Internet Explorer that likely won't be patched until December. Microsoft released Security Advisory 2458511 last week on the still-unresolved Internet Explorer vulnerability, which affects versions 6,7 and 8 (but not IE9 beta).

Redmond says users can get got during an IE browsing session "if they visit a Web site hosting malicious code."

Microsoft has published a workaround for the bug, which many in the security community believe to be inadequate. Microsoft is holding off presumably because the exploit is difficult to trigger in later browser iterations, which have the data execution prevention function enabled.

IE Exploit: Label It Crimeware?
Late Sunday a new development arose to, at the very least, raised eyebrows: Roger Thompson in a blog said an exploit related to the unpatched IE flaw has been tacked on to the Eleonore attack kit. Attack kits, or crimeware, are bought and sold on the black market just like one would pick up AV software legally. Savvy hackers use these kits to plant their wares on hacked Web sites in order to hijack PCs via an IE browser session.

"Since this vulnerability came to light, Josh Drake, our lead exploit engineer has been able to create reliable exploits for IE 8," said HD Moore, CSO at Rapid7 and chief architect of the Metasploit exploit database. "However, these targets depend on knowing the exact version of MSHTML.DLL on the victim in order to calculate the offset. The IE 8 platform is still a more difficult target than IE 6 and IE 7, but simply running IE 8 is no longer a significant counter-measure for this vulnerability."

In other words, without a formal patch even IE 8 isn't totally safe.

Zeus Upends MSRT
Analysis by security shop Trusteer found that more sophisticated Trojan bugs such as Zeus or Zbot, which target online bank accounts off unprotected PCs, are going undetected by Microsoft's Malicious Software Removal Tool. Trusteer said MSRT detected and removed Zeus 2.0 only 46 percent of the time, according to the security shop's tests.

The rest of the time, Trusteer says, MSRT failed to spot updated versions, and those are now circulating.

The main crux of the threat is that new versions with slicker coding can slip by an MSRT program only designed to detect older versions.

Microsoft has not yet formally responded to these claims but Trusteer's findings come a month after Microsoft announced a new capability in MSRT, adding detection and removal functions specifically for Zeus.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus
Most   Popular