Security Watch

Company Draws Out the Suspense over IE

Security firm says it has found more holes in the browser, but they're holding off on the specifics. Plus: the IE patch took some time; China denies responsibility over Google attacks.

We've heard this story before. Apparently, there are new bugs in Internet Explorer and, of course, there's a company being coy about their discovery in order to advance discussions about its own products.

Less than a week after Redmond released a cumulative out-of-band patch for IE (meaning it touched all supported versions of IE on all supported Windows OSes), Core Security Technologies, a Boston-based security research shop, is claiming it found a "cluster" of remote code execution exploits in the browser.

Core Security researcher Jorge Luis Alvarez Medina said in numerous reports over the weekend that the so-called clusters of holes aren't bad by themselves but, if exploited, could do some serious damage.

According to Core Security, the incursion happens when a user clicks on a corrupt URL. Alvarez Medina said his company will elaborate on the many ways a hacker can invade an IE browser session at the upcoming Black Hat security conference in Washington, D.C. next week.

Core Security said it contacted Microsoft in 2008 about a similar problem, but hasn't yet contacted it about this latest issue. Naturally, Microsoft hasn't responded to these claims yet, but since IT security pros and Windows enterprise users have a week before the conference to guess what these exploits actually are, this is definitely a wait-and-see situation.

IE Patch Took Some Time
While we're waiting and seeing about those aforementioned IE bugs, here's some insight into just how long it can take to patch exploits.

In a blog post accompanying the release of the off-cycle IE hotfix last week, Microsoft revealed that it had known about the bugs since September 2009.

"When the attack discussed in Security Advisory 979352 was first brought to our attention on Jan. 11, we quickly released an advisory for customers three days later," wrote Microsoft spokesman Jerry Bryant. "As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September."

Whatever the case, security experts seem to be satisfied with how Microsoft responds with patches, particularly with IE, where cumulative, far-reaching hotfixes are common.
"Microsoft typically releases a cumulative Internet Explorer update every other month," said Jason Miller, data and security team leader for Shavlik Technologies. "February's patch day would mark the usual schedule for another cumulative release. Microsoft has shown with the [out-of-band] release that they are able to address critical vulnerabilities while still addressing other vulnerabilities that may or may not be publicly known."

China: Don't Look at Us
Predictably, the Chinese government is denying any complicity in or sanction of the recent security attacks against Google and scores of other companies.

As I wrote last week, a link between China and the attacks may be convenient given Google's recent comments against China's censorship laws but that such a link has "yet to be completely substantiated."

However, the prevailing opinion of several third-party security firms -- including Washington, D.C.-based Mandiant, which Google hired to investigate the attacks -- was that the attacks were far too sophisticated and organized to have originated from a band of rogue hackers looking for financial gain.

Time, as always, will tell. Stay tuned.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Salesforce Buying Slack for $27 Billion To Bolster CRM Solution

    Salesforce on Tuesday announced the purchase of collaboration software-maker Slack for an estimated $27.7 billion.

  • Dark City Illustration

    The Night the Lights Went Out in the Cloud: Lessons from the AWS Outage

    Last week's AWS outage that broke the Internet showed how critical it is to build applications that can withstand transient failure. Here's what you need to know to design a resilient cloud app (and it doesn't involve multicloud).

  • 5 Steps To Fix Windows Indexing Problems

    The Windows indexing feature doesn't always deliver the correct results of a file search. Here are five troubleshooting steps you can take whenever Windows indexing acts up.

  • Microsoft Adding Simpler Microsoft 365 Admin Center Option for Small Businesses

    The Microsoft 365 Admin Center, used for setting up and managing various Microsoft services, is getting a more lightweight interface designed for "very small businesses," according to a Tuesday Microsoft announcement.

comments powered by Disqus