Microsoft warns of zero-day IE hole on Patch Tuesday

Microsoft warned of a new vulnerability in Internet Explorer 6 and IE 7 that has been targeted in attacks, and released fixes for eight holes in Windows and Office as part of Patch Tuesday.

The company issued Security Advisory 981374, which addresses a privately disclosed vulnerability. The hole could allow an attacker to take control of a machine if a user visited a malicious Web site, Microsoft said.

There are some features that could mitigate the effects of an attack. For instance, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone by default, the company said.

"Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems helps to limit the impact of the vulnerability as an attacker who successfully exploited this vulnerability would have very limited rights on the system," the advisory said. "By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone."

The advisory also provides information on workarounds. Microsoft suggests that IE 6 and IE 7 users upgrade to IE 8 immediately.

"For the second time in three months, Microsoft has also issued a warning about a new IE zero-day bug," said Andrew Storms, director of security operations for nCircle, referring to the IE hole that was exploited in the attacks on Google and other companies late last year and disclosed by Microsoft in January. "There's no doubt that this new bug will be fodder for the ongoing security discussion that is a key part of the browser wars."

In its Patch Tuesday preview on Thursday, Microsoft said it would issue two bulletins rated "important" on Tuesday to fix eight vulnerabilities in Windows and Microsoft Office products. Details are in the company's Security Bulletin for March.

The first bulletin for March, MS10-016, addresses a vulnerability in Windows Movie Maker that could be exploited by getting a user to open a maliciously crafted Movie Maker project file.

"Both Windows XP and Windows Vista ship with affected versions (2.1 and 6.0 respectively). Version 2.6 is also vulnerable and can be freely downloaded and installed from the Web," Jerry Bryant, senior security communications manager lead at Microsoft, wrote in a blog post on the Microsoft Security Response Center. "Customers who install 2.6 on any supported platform, including Windows 7, will be offered the update."

The vulnerability also affects Microsoft Producer 2003, a free download with limited distribution. "At this time, we are not offering an update for Producer 2003," the blog post said. "While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security."

The second bulletin, MS10-017, affects all currently supported versions of Microsoft Office Excel, as well as Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007. A successful attack exploiting the hole would require a user to open a maliciously crafted file.

Meanwhile, the Malicious Software Removal Tool was updated to include Win32/Helpud, a Trojan that steals log-in information for popular online games.

Microsoft also re-released MS09-033, a bulletin for a hole in Microsoft Virtual PC and Microsoft Virtual Server, to add Microsoft Virtual Server 2005 to the list of affected software.

The software giant said it is continuing to monitor threats in connection with Security Advisory 981169 related to a hole in VBScript affecting older Windows systems that Microsoft disclosed publicly on March 1.

Although proof-of-concept code exploiting the hole has been released publicly, Microsoft said it was not aware of any active attacks. Customers using Windows 2000-, XP- and Server 2003-based systems are advised to apply the workarounds. Customers running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.

Updated at 1:04 p.m. PST with nCircle comment.

[satcomer]

Well another round of users getting hacked into Bot net again. Yet more spam on the way\ because of this bug.

[santuccie]

Actually, it's "botnet," not "bot net." And "bot" is not a proper noun; there is more than one botnet and bot program out there. That said, at least it stops with Vista and onward. Best you pray as I do that the rate of Windows 7 adoption and reception continues (even if there are still a few stragglers here and there). The sooner XP dies, the sooner the botnets start to shrink, and the sooner spam starts to die down. Cheers!

[MSSlayer]

LOL

You think that there aren't millions of Vista and 7 boxes in these botnets?

LOL

[santuccie]

@MSSlayer:

'Customers running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.'

Not through this hole, no. There are Trojan horses that work on Vista and Windows 7, some of the most common being the new generations of rogue antivirus programs that will install even if you click the close (X) button (only way to avoid infection is to terminate the browser or reboot; UAC may stop it if active, and at "always notify" in the case of W7).

Just FYI, Vista and Windows 7 are more resistant to remote attacks than Mac OS, including Snow Leopard. There are rumors that they are even tougher than the most widely used flavors of Linux, though I have no substantiation for this. The vast majority of bots out there are XP machines. Does that upset you?

[amadensor]

Title Should Be:
Microsoft warns of zero-day hole: IE

[santuccie]

All browsers have bugs. Firefox and Safari have more bugs than IE, unless you count ActiveX. That said, outside of JS, VBS, and the like; IE bugs are most likely to be exploited. But you can't blame Microsoft for being successful. When Firefox overtakes IE, which I believe it will, the attacks will change course. And even as a Firefox user, I'm not worried about it.

[fudbuster77]

"The advisory also provides information on workarounds. Microsoft suggests that IE 6 and IE 7 users upgrade to IE 8 immediately."

I tender to wonder if OEM's use this sort of panic mode strategy to get the end users to upgrade to the latest version of the product? I'm sure the world would be better off if people moved from IE6 to IE8.

I use Firefox and Chrome, so don't really have to deal with it, but there's exploits out there for those as well so it's always good to be vigilant.

[shycelticwitch]

LOL no comment.

[WelshMullet]

I believe you have failed logic there, my fellow forum goer
If you had made no comment, then I wouldn't be replying and "LOL no comment" would not be appearing on this page.
This is for IE 6 and 7, which are not the newest of programs. All programs have hole that need patching, that's why new versions are released. IE holes are only so serious because of the way it is tied to the XP / Vista OS.

[fudbuster77]

I always laugh at your comments, Shycelticwitch. They are meaningless and without value. If we base our opinion upon your comments like these, then that puts your value here as....


Ah. Yes. Quite LOL indeed. :)

[shycelticwitch]

Let's put this in perspective... my value here is the same as yours, given that neither of us affects anything by what we post here. LOL right back at ya. WAFI.

[santuccie]

Actually, judging by history, fudbuster77 seems to be fairly reasonable in his posting. Also, while admitting openly that he is a fan of Apple, and believes in it far more than he does in PC OEMs (and Microsoft), he is not here to bash MS like you are. In the few pages of comment history that I bothered to skim through, I saw nothing fictional. The same cannot be said of you.

I don't have an opinion yet on fudbuster77's technical savvy, but I see nothing that makes me question his credibility. He doesn't claim expertise over other forum members while claiming that DOS is an 8-bit operating system, and that 8086 is a 4-bit processor. If and when that ever happens, we'll see if he fights tooth and nail to try and drown it out, changes his story three times, or accuses others of his own faults (like personal attacks and editorial censoring, just before getting a post in French deleted that calls someone ugly and says their mother wears army boots). We all know your posts don't mean anything, but I for one find his meaningful. And that's coming from a Windows fan.

BTW, it is interesting how you lash out at fellow Mac users for disowning your trolling posts here. Not even The_happy_switcher found that necessary when you condemned him for trolling. Grow some thicker skin, already!

[shycelticwitch]

Posted for no other reason than to prove a point. Even when you say nothing, MS fanbots will find a reason to lash out and spend half a day writing an essay on why bashing Windows is bad. I don't know what kind of drugs you're on but whatever they are they sure are painting a very nice fantasy world around you. You really believe that people care about what you say here... and I find that more amusing than the personal attacks. Get a grip dude... nobody cares that you are making a fool of yourself trying to make a fool out of me. You've quite succeeded in the first, but have failed badly at the latter since I am not seeing anyone line up behind you (except your usual bot followers like dhavleak) to jump on the wagon. You keep typing dear, at least we know you're not out on the streets.

[shycelticwitch]

And... once again, you entirely missed the point of each post. I don't care what fudbuster77 posts... it's not changing the way the world thinks any more than what you post or what I post. I come here for amusement and the occasional newsworthy article, you come here because your life depends on it, or so your posts say. If life was as serious as you imagine it to be, we'd all be on Prozac. Don't worry, be happy... and stop trying so hard to make me mad, you're just making yourself look like a rabid stalker.

[santuccie]

Actually, my previous "essay" to you was 1293 characters in 1 post, compared to 1309 characters in 2 posts for you. And it actually MADE a point. What point is there to your posts, other than bashing MS after condemning others for it?

'I don't know what kind of drugs you're on but whatever they are they sure are painting a very nice fantasy world around you.'
>>>>I don't use drugs. But I wonder if you do, since half of your insults sound more like you than the person you're addressing.

'Get a grip dude... nobody cares that you are making a fool of yourself trying to make a fool out of me.'
>>>>Actually, that wasn't me. That was you, when you made the mistake of making claims to expertise that you couldn't back up. You should have known better.

'And... once again, you entirely missed the point of each post.'
>>>>Did I? If it wasn't about fudbuster77's posts being no more important than yours (in your mind), then the only other thing I'm seeing is "LOL no comment." And as far as posts being worthless and not changing anything, I deliberately leave the "e-mail me" option open because CNET users have contacted me from there. Some have even requested advice right here in the forums, so everyone could see. And others have changed security products or followed the directions at Invincible Windows, placing it at #1 out of 1.2 million links on Google and #1 under Hardening Tools on the Best Free Security List in the World. Now, please tell me again that my posts are worthless.

'I come here for amusement and the occasional newsworthy article, you come here because your life depends on it, or so your posts say.'
>>>>No, you come here to bash Windows. Otherwise, that first-tier comment of yours wouldn't be there at all. And if my life depended on this, then I would have no day job, and would have had to have been the one with last word in our previous rendezvous, not to mention the last editorial bleep.

'Don't worry, be happy... and stop trying so hard to make me mad, you're just making yourself look like a rabid stalker.'
>>>>Once again, you think this is all about you. In case you haven't noticed, no one is singling you out, sweetheart. And I think you've been mad for awhile, posting baseless zingers that call people ugly and tell them that their mothers wear army boots (in any language). I think you NEED a prescription for Prozac.

That, or a cat, as well as a life. I don't know if anyone is stalking you in your neighborhood, but I'm not. I don't come up behind you on EVERY post you make, nor do I do it to anyone else. I told you before and I'll tell you again, my issue is with fiction. There were four or five people in this forum alone who posted misinformation, and you happened to be one of them. But you have been the only one thus far who is so very thin-skinned that you are compelled to respond with nothing more than puerile zingers. Congratulations!

I'm sure you'll be back to cite how I am posting "novels" that took me "two weeks" to write, rather than to sit back and think for a moment how people really are taking you less seriously because your comments contain only bashing and never a word of substance. So I'm going to save my time and allow you the last word (again), since you seem to think it helps you. All the best.

[Seaspray0]

"Customers running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected."

This seems to be a recurring statement.

[aMUSICsite]

This is why I refuse to upgrade from IE 5.5

[shellcodes_coder]

Nice joke :)

[shellcodes_coder]

Yet another reason to stick with Windows 7. And here's yet another reason to stick with Windows 7: Charlie Miller: Windows 7 + IE 8 or Chrome provides safest computing experience: http://www.neowin.net/news/charlie-miller-windows-7--ie-8-or-chrome-provides-safest-computing-experience

Enjoy :)

[queticomn]

As for chrome being safe, https://secunia.com/advisories/search/?search=chrome

FireFox, and Opera are the safest browsers on the web.
http://en.wikipedia.org/wiki/Comparison_of_web_browsers Scroll down to Vulnerabilities.

[Complete Novice]

You are much better off using Opera of Chrome, IE browsers have a history of security vulnerability, and with that type of history, microsoft cannot be trusted.

[santuccie]

Actually, all browsers have vulnerabilities, including Chrome. They're definitely hard to exploit, given that Chrome uses a sandbox. But again, notice that Windows 7 and Vista users are unaffected. That's because of IE Protected Mode, ASLR, DEP, and others; which were introduced with Windows Vista. XP was released before drive-by downloads started showing up on legitimate sites; when that changed, so did Windows. And Windows is more resistant to remote attacks than Apple. Based on this, I'd say Microsoft most definitely CAN be trusted. That said, I appreciate the disclaimer in your username. We're all learning here.

[DanoNH]

I have long been opposed to the M$ monopoly, but have come to find that their business model has indeed evolved with the times. (Where have ActiveX controls gone???) If they couldn't be trusted, then they would go out of business. That is the global economic model. How would you feel if M$ software was produced in China? Would you still use it? Better yet, would you TRUST it?

As far as web browsers, my allegiance lies with Firefox for its versatility, customization (plugins) and usefulness.

We complain about security being an inconvenience but there is an inverse proportion between security and convenience. I'll take an extra step now instead of 1000 unnecessary steps later due to my circumventing a security feature...

[Kaempen]

Adrian Stone -- LOOK INTO THE CAMERA. It comes off as rude to not even look at us for half the time. You are recording into a camera, right? Turn the friekin' computer OFF, look up, pay attention to us!!! We're giving you **OUR** attention, the least you can do is give us YOURS!

[SteveDrummer1]

why does EVERY vulnerability start with "The hole could allow an attacker to take control of a machine"?

[JEBIBRO]

good downloaded some things and know sometrhinkgfds

[calebstein]

http://archlinux.org/

[charles_7]

For virus issues
www.snappytechs.com