News

Microsoft Investigating IE and FTP Security Flaws

Microsoft's security team announced late last month that it is investigating two proof-of-concept flaws in Microsoft's Web-related software.

One of the flaws offers a possible avenue for remote code execution attacks via Internet Explorer. The other flaw could enable denial-of-service attacks by exploiting a vulnerability in Internet Information Services FTP 7.5, which runs as a part of Windows 7 and Windows Server 2008 R2.

The IE proof-of-concept flaw potentially affects all versions of Microsoft's Web browser. It supposedly works by bypassing protections normally enabled by Microsoft's address space layout randomization (ASLR) and data execution prevention (DEP) technologies. Microsoft described the problem in a blog post in December, suggesting that users could deploy Microsoft's Enhanced Mitigation Experience Toolkit (EMET) as a workaround.

Microsoft also issued security advisory 2488013 last month about the IE vulnerability. The advisory describes "mitigating factors," including the common practice of keeping software updated, using antivirus solutions and enabling a firewall. The two suggested workarounds in the security advisory included using EMET and boosting the local intranet security zone settings in IE to "high." Upping those settings will block ActiveX and active scripting in that zone.

Microsoft may elect to issue a patch for the IE flaw through its monthly update services or it may release a so-called "out-of-band" patch. However, the security advisory did not indicate when to expect such a fix, if it's coming. The flaw would typically be triggered by first directing an IE user to a malicious Web site, according to the security advisory.

The IIS FTP 7.5 flaw could offer a way to enable denial-of-service attacks, according to a Microsoft blog post. Microsoft is investigating the problem, which is associated with how the FTP server encodes a Telnet "interpret as command" character. An attacker could possibly exploit a heap buffer overrun as a consequence of this flaw, enabling a denial-of-service attack on a site.

The company did not issue a security bulletin for the FTP 7.5 flaw, but the blog indicated that the security team may issue a fix through its monthly security update process or provide "additional guidance to help customers protect themselves."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus