Security Watch

Thankful for a Light November Patch Load

Microsoft's November patch count is the lowest it's been in nearly four months, so IT pros have something to be thankful for heading into Thanksgiving: a light security update rollout.

Before you start comparing turkey recipes, consider this: There is still a big, in-the-wild flaw in Internet Explorer that likely won't be patched until December. Microsoft released Security Advisory 2458511 last week on the still-unresolved Internet Explorer vulnerability, which affects versions 6,7 and 8 (but not IE9 beta).

Redmond says users can get got during an IE browsing session "if they visit a Web site hosting malicious code."

Microsoft has published a workaround for the bug, which many in the security community believe to be inadequate. Microsoft is holding off presumably because the exploit is difficult to trigger in later browser iterations, which have the data execution prevention function enabled.

IE Exploit: Label It Crimeware?
Late Sunday a new development arose to, at the very least, raised eyebrows: Roger Thompson in a blog said an exploit related to the unpatched IE flaw has been tacked on to the Eleonore attack kit. Attack kits, or crimeware, are bought and sold on the black market just like one would pick up AV software legally. Savvy hackers use these kits to plant their wares on hacked Web sites in order to hijack PCs via an IE browser session.

"Since this vulnerability came to light, Josh Drake, our lead exploit engineer has been able to create reliable exploits for IE 8," said HD Moore, CSO at Rapid7 and chief architect of the Metasploit exploit database. "However, these targets depend on knowing the exact version of MSHTML.DLL on the victim in order to calculate the offset. The IE 8 platform is still a more difficult target than IE 6 and IE 7, but simply running IE 8 is no longer a significant counter-measure for this vulnerability."

In other words, without a formal patch even IE 8 isn't totally safe.

Zeus Upends MSRT
Analysis by security shop Trusteer found that more sophisticated Trojan bugs such as Zeus or Zbot, which target online bank accounts off unprotected PCs, are going undetected by Microsoft's Malicious Software Removal Tool. Trusteer said MSRT detected and removed Zeus 2.0 only 46 percent of the time, according to the security shop's tests.

The rest of the time, Trusteer says, MSRT failed to spot updated versions, and those are now circulating.

The main crux of the threat is that new versions with slicker coding can slip by an MSRT program only designed to detect older versions.

Microsoft has not yet formally responded to these claims but Trusteer's findings come a month after Microsoft announced a new capability in MSRT, adding detection and removal functions specifically for Zeus.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • OneDrive Users To Get Storage Options, Plus New Personal Vault

    Microsoft announced a few OneDrive enhancements, including storage-option additions, plus a new "Personal Vault" feature for added security assurance.

  • Cloud Services Starting To Overtake On-Prem Database Management Systems

    Database management system (DBMS) growth is happening more on the cloud services side than on the traditional "on-premises" side, according to a report by Gartner Inc.

  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.