Home   About Us    Services and Products   Support   Contact Us

Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Microsoft to Release Out-Of-Band Patch for Internet Explorer on January 21st
1/20/2010

A vulnerability in Internet Explorer that was used in attacks called "Operation Aurora" against Google, Adobe, and over 30 other companies has been publically released.  The attacks are highly sophisticated.  They have been limited and targeted so far, but public release of proof-of-concept code on Friday increased the possibility of widespread attacks using the vulnerability because it might help cybercriminals write attack code.  Microsoft issued an advance notification that it intends to release an "out-of-band" patch for the Internet Explorer vulnerability tomorrow.  An out-of-band patch release is one not part of Microsoft's monthly patch release cycle and is an indication that Microsoft considers this a very serious risk.  The patch will be available on Windows Update as close to 10 AM PST as possible.  

Threat Level

Warning:  Vulnerability is being actively exploited on the Internet.

(A "warning" alert is for a situation that are currently occurring or conditions are right for the situation to occur soon.)

Severity:  High.  

Media attention: Yes.

Affected Software

All versions of Internet Explorer 6 or 7 on all versions of Windows.

How Do I Protect My Computer

The vulnerability can be stopped using Data Extraction Prevention (DEP), which is a combination of hardware support in most recent CPUs and software.  To use DEP, (1) the CPU has to support it (Intel XD or AMD /NX), (2) it has to be enabled in the BIOS, (3) the OS has to support, and (4) the application (in this case, Internet Explorer) has to opt into using it.  It is enabled by default in only IE8.  Microsoft’s Security Research & Defense team has released “Fix It” tool to allow users to enable DEP on older versions of Internet Explorer.  For more information about DEP, how to determine whether or not your hardware supports DEP and configured on your computer, see Microsoft Security Research & Defense blog post Additional information about DEP and the Internet Explorer 0day vulnerability.

VUPLEN Security claims to have sample exploit code that bypasses DEP.

Users who run browsers with automatic updates turned on or Windows with automatic update turned on will be automatically updated after the patch is released.  Once the patch is applied, customers are protected against the known attacks that have been widely publicized.

More Information

Security Advisories
Microsoft Advisory: http://www.microsoft.com/technet/security/advisory/979352.mspx
Microsoft MSRC blog (includes videos with guidance for home users and an explanation of DEP): http://blogs.technet.com/msrc/archive/2010/01/18/
advisory-979352-update-for-monday-january-18.aspx
Microsoft advance notification of one out-of-band security bulletin: http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx

McAfee: Attach Now Public: http://siblog.mcafee.com/cto/%E2%80%9Caurora
%E2%80%9D-exploit-in-google-attack-now-public//
McAfee: Operation Aurora: http://siblog.mcafee.com/cto/operation-
%e2%80%9caurora%e2%80%9d-hit-google-others//

VUPLEN Security: DEP Bypass: http://www.vupen.com/exploits/Microsoft_Internet_Explorer
_Use_after_free_Code_Execution_Exploit_MS_979352_0135286.php
 Microsoft Reports of DEP being bypassed: http://blogs.technet.com/srd/archive/2010/01/20/
reports-of-dep-being-bypassed.aspx

Managed Services

Based on the criticality, IT Professional Services will perform an emergency deployment the patch when it becomes available to protect all systems under Managed Care.

Professional Services

If you need assistance installing protection from this worm or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030