Quote: Microsoft plans to release a pre-patch advisory to provide mitigation guidance and workarounds for a code execution browser flaw that could lead to PC takeover attacks. The flaw puts the computers of millions of Internet Explorer users at risk...
The vulnerability was confirmed on a fully patched system with IE 6.0 and Microsoft Windows XP SP2. It has also been confirmed in IE 7 Beta 2 Preview, Secunia said.
The MSRC (Microsoft Security Response Center) said in a blog entry that users of the new refresh of the IE7 Beta 2 Preview announced at Mix '06 are not affected...
full article:
http://www.eweek.com/article2/0,1895,1941507,00.asp
One note: there are 2 versions of IE7 Beta 2 Preview-the version released in February and the 2nd version released on 20/3/2006. In order to install the 2nd version you must first uninstall the 1st version. The 20/3/2006 release is not affected by this bug, but all other versions of IE6 and IE7 are affected.
You can download the 20/3/06 IE7 release here:
http://www.microsoft.com/windows/ie/ie7/...irect.mspx
Update: an exploit was released on the Web and attackers are hitting IE:
Quote:Microsoft confirms a wave of drive-by downloads targeting a zero-day browser vulnerability and says Internet Explorer users can expect a patch on April 11, if not sooner.
Malicious hackers are using hijacked Web servers and compromised sites to launch a wave of zero-day attacks against an unpatched flaw in Microsoft's Internet Explorer browser.
The first wave of drive-by downloads was spotted on March 25, and security experts tracking the attack say the threat is growing at a rate of 10 new malicious URLs every hour.
full article:
http://www.eweek.com/article2/0,1895,1942570,00.asp
A related turn of events:
Quote: The ongoing zero-day attacks against users of Microsoft's Internet Explorer browser have taken an ominous, social-engineering twist.
According to an alert issued by Websense Security Labs, in San Diego, excerpts from actual BBC News stories are being used to lure IE users to Web sites that launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.
One version of the spammed e-mail seen by eWEEK contains a portion of a BBC News item published on March 27 about the Chinese yuan hitting a post-revaluation high against the U.S. dollar.
After the legitimate excerpt, the hackers embedded a "read more" link that points to a Web site that contains a spoofed copy of the BBC News story from the e-mail...
full article:
http://www.eweek.com/article2/0,1895,1944579,00.asp
Micrsoft will release a patch for this security hole on Tuesday. A fix for
the other security hole that was discovered late last week will not be patched tomorrow however.
Quote:A fix for a widely exploited flaw in Internet Explorer is among five security patches Microsoft told users to expect next week.
Following weeks of speculation whether the CreateTextRange vulnerability would force the software giant to break from tradition and release a special patch, Microsoft said Thursday the patch is among four others slated for April 11.
The company expects to release five security patches: four (including one deemed "critical") affect the Windows operating system and one addresses a "moderate" vulnerability in Microsoft Office. ..
full article:
http://news.earthweb.com/security/article.php/3597546
More news on the problems caused by Microsoft's latest patch:
Quote:Two patches released in Microsoft's April batch of security updates are causing system hangs, Windows crashes and the appearance of strange dialog boxes...
Windows users deploying the MS06-015 update have also complained about problems accessing special folders like "My Documents" or "My Pictures."
In addition, the update is causing Microsoft Office applications to stop responding when Office files are saved or opened in the "My Documents" folder; system freezes when opening a file through an application's file/open menu; and lockups when typing a URL into IE...
full article:
http://www.eweek.com/article2/0,1895,1950095,00.asp
Update: Microsoft will be reissuing a fixed version of the recent MS06-015 update which has been causing lockups and crashes for users.
Quote:The Redmond, Wash. software maker plans to rerelease the problematic MS06-015 update on April 25 to correct an issue that has caused system hangs, Windows crashes and the appearance of strange dialog boxes after the original patch was installed.
"[We have] re-engineered the MS06-015 update to avoid the conflict altogether," said Stephen Toulouse, program manager in the Microsoft Security Response Center.
The company's plan is to target the rerelease only to Windows users who are affected. In a blog entry, Toulouse said the company's patch deployment technologies will have "detection logic" built into them to only offer the revised update to customers who don't have MS06-015 or are having the problem....
full article:
http://www.eweek.com/article2/0,1895,1952463,00.asp
