Security Watch

Thankful for a Light November Patch Load

Microsoft's November patch count is the lowest it's been in nearly four months, so IT pros have something to be thankful for heading into Thanksgiving: a light security update rollout.

Before you start comparing turkey recipes, consider this: There is still a big, in-the-wild flaw in Internet Explorer that likely won't be patched until December. Microsoft released Security Advisory 2458511 last week on the still-unresolved Internet Explorer vulnerability, which affects versions 6,7 and 8 (but not IE9 beta).

Redmond says users can get got during an IE browsing session "if they visit a Web site hosting malicious code."

Microsoft has published a workaround for the bug, which many in the security community believe to be inadequate. Microsoft is holding off presumably because the exploit is difficult to trigger in later browser iterations, which have the data execution prevention function enabled.

IE Exploit: Label It Crimeware?
Late Sunday a new development arose to, at the very least, raised eyebrows: Roger Thompson in a blog said an exploit related to the unpatched IE flaw has been tacked on to the Eleonore attack kit. Attack kits, or crimeware, are bought and sold on the black market just like one would pick up AV software legally. Savvy hackers use these kits to plant their wares on hacked Web sites in order to hijack PCs via an IE browser session.

"Since this vulnerability came to light, Josh Drake, our lead exploit engineer has been able to create reliable exploits for IE 8," said HD Moore, CSO at Rapid7 and chief architect of the Metasploit exploit database. "However, these targets depend on knowing the exact version of MSHTML.DLL on the victim in order to calculate the offset. The IE 8 platform is still a more difficult target than IE 6 and IE 7, but simply running IE 8 is no longer a significant counter-measure for this vulnerability."

In other words, without a formal patch even IE 8 isn't totally safe.

Zeus Upends MSRT
Analysis by security shop Trusteer found that more sophisticated Trojan bugs such as Zeus or Zbot, which target online bank accounts off unprotected PCs, are going undetected by Microsoft's Malicious Software Removal Tool. Trusteer said MSRT detected and removed Zeus 2.0 only 46 percent of the time, according to the security shop's tests.

The rest of the time, Trusteer says, MSRT failed to spot updated versions, and those are now circulating.

The main crux of the threat is that new versions with slicker coding can slip by an MSRT program only designed to detect older versions.

Microsoft has not yet formally responded to these claims but Trusteer's findings come a month after Microsoft announced a new capability in MSRT, adding detection and removal functions specifically for Zeus.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus