News

Microsoft Investigating IE and FTP Security Flaws

Microsoft's security team announced late last month that it is investigating two proof-of-concept flaws in Microsoft's Web-related software.

One of the flaws offers a possible avenue for remote code execution attacks via Internet Explorer. The other flaw could enable denial-of-service attacks by exploiting a vulnerability in Internet Information Services FTP 7.5, which runs as a part of Windows 7 and Windows Server 2008 R2.

The IE proof-of-concept flaw potentially affects all versions of Microsoft's Web browser. It supposedly works by bypassing protections normally enabled by Microsoft's address space layout randomization (ASLR) and data execution prevention (DEP) technologies. Microsoft described the problem in a blog post in December, suggesting that users could deploy Microsoft's Enhanced Mitigation Experience Toolkit (EMET) as a workaround.

Microsoft also issued security advisory 2488013 last month about the IE vulnerability. The advisory describes "mitigating factors," including the common practice of keeping software updated, using antivirus solutions and enabling a firewall. The two suggested workarounds in the security advisory included using EMET and boosting the local intranet security zone settings in IE to "high." Upping those settings will block ActiveX and active scripting in that zone.

Microsoft may elect to issue a patch for the IE flaw through its monthly update services or it may release a so-called "out-of-band" patch. However, the security advisory did not indicate when to expect such a fix, if it's coming. The flaw would typically be triggered by first directing an IE user to a malicious Web site, according to the security advisory.

The IIS FTP 7.5 flaw could offer a way to enable denial-of-service attacks, according to a Microsoft blog post. Microsoft is investigating the problem, which is associated with how the FTP server encodes a Telnet "interpret as command" character. An attacker could possibly exploit a heap buffer overrun as a consequence of this flaw, enabling a denial-of-service attack on a site.

The company did not issue a security bulletin for the FTP 7.5 flaw, but the blog indicated that the security team may issue a fix through its monthly security update process or provide "additional guidance to help customers protect themselves."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Clarifies Project Cortex's Scope, IT Controls and Product Delivery in Q&A

    Microsoft recently offered a Q&A session on Project Cortex, its emerging "knowledge network" solution for Microsoft 365 users.

  • How To Use .CSV Files with PowerShell, Part 2

    In the second part of this series, Brien shows how to import a .CSV file into a PowerShell array, including two methods for zooming in on just the specific data you need and filtering out the rest.

  • Windows 10 Preview Adds Ability To Display Linux Distro Files

    Microsoft on Wednesday announced Windows 10 preview build 19603, which adds easier access to installed Linux distro files using Windows File Explorer.

  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.