to Release Out-Of-Band Patch for Internet Explorer on January 21st
vulnerability in Internet Explorer that was used in attacks called
"Operation Aurora" against Google, Adobe, and over 30 other companies
has been publically released. The attacks are highly
sophisticated. They have been limited and targeted so far,
public release of proof-of-concept code on Friday increased the
possibility of widespread attacks using the vulnerability because it
might help cybercriminals write attack code. Microsoft issued
an advance notification
that it intends to release an "out-of-band" patch for the Internet
Explorer vulnerability tomorrow. An out-of-band patch release
one not part of Microsoft's monthly patch release cycle and is an
indication that Microsoft considers this a very serious risk.
patch will be available on Windows Update as close to 10 AM PST as
Warning: Vulnerability is being
actively exploited on the Internet.
(A "warning" alert is for a situation that are currently occurring or
conditions are right for the situation to occur soon.)
Media attention: Yes.
All versions of Internet Explorer 6 or 7 on all versions of Windows.
Do I Protect My Computer
vulnerability can be stopped using Data Extraction Prevention (DEP),
which is a combination of hardware support in most recent CPUs and
software. To use DEP, (1) the CPU has to support it (Intel XD
AMD /NX), (2) it has to be enabled in the BIOS, (3) the OS has to
support, and (4) the application (in this case, Internet Explorer) has
to opt into using it. It is enabled by default in only
Microsoft’s Security Research & Defense team has released “Fix
tool to allow users to enable DEP on older versions of Internet
Explorer. For more information about DEP, how to determine
whether or not your hardware supports DEP and configured on your
computer, see Microsoft Security Research & Defense blog post Additional information about DEP and the
Internet Explorer 0day vulnerability.
VUPLEN Security claims to have sample exploit code that bypasses DEP.
Users who run browsers with automatic updates turned on or Windows with
automatic update turned on will be automatically updated after the
patch is released. Once
the patch is applied, customers are protected against the known attacks
been widely publicized.
Microsoft Advisory: http://www.microsoft.com/technet/security/advisory/979352.mspx
Microsoft MSRC blog (includes videos with guidance for home users and
an explanation of DEP): http://blogs.technet.com/msrc/archive/2010/01/18/
Microsoft advance notification of one out-of-band security bulletin: http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx
McAfee: Attach Now Public: http://siblog.mcafee.com/cto/%E2%80%9Caurora
McAfee: Operation Aurora: http://siblog.mcafee.com/cto/operation-
VUPLEN Security: DEP Bypass: http://www.vupen.com/exploits/Microsoft_Internet_Explorer
Microsoft Reports of DEP being bypassed: http://blogs.technet.com/srd/archive/2010/01/20/
Based on the criticality, IT Professional Services
will perform an emergency deployment the patch when it becomes
available to protect all systems under Managed
If you need assistance installing protection from
this worm or a security assessment, IT Professional Services
can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.