Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft's popular Internet Explorer web browser suffers from several minor flaws, which, when combined, can allow an attacker to read all the files on a user's computer, according to researchers at penetration testing vendor Core Security Technologies. This new security issue came to light just days after Microsoft delivered an emergency patch to correct several other IE vulnerabilities, including at least one that was used in the recent attacks against more than 30 brand companies. Jorge Luis Alvarez Medina, a security consultant at Core Security Technologies, is scheduled to give a presentation on Feb. 3 at the Black Hat conference in Washington DC, demonstrating how an attacker could leverage four to five flaws in design features of Internet Explorer to read every file on a user's computer. Following the presentation, Medina plans to release proof of concept demonstrating the attack, as well as further details on the flaws. “Its not a presentation about how to exploit a bug in the browser, but how to take advantage of different, legitimate features of IE to deploy an attack vector,” Medina said. “Those features that are part of this attack are not vulnerabilities in and of themselves, but features that involve minor risk.”While each bug poses a low security risk on its own, they can be combined to launch the attack, Medina said. IE versions 8 and earlier are affected. “All an attacker needs is for a victim to click on a link and that's it,” Medina said. “An attacker would be able to read every file from a victim's machine.”Core Security researchers have been working with Microsoft to fix the issues for some time, Medina said. Microsoft is investigating the issue and has not identified any attacks in the wild, Dave Forstrom, group manager, Microsoft's Trustworthy Computing, said in a statement sent to SCMagazineUS.com. “Once we're done investigating, we will take appropriate action to help protect customers,” Forstrom said. “This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.”Medina, however, said that some of these minor bugs “will probably never get fixed.” Since the attack leverages flaws that exist in legitimate IE features, Microsoft cannot fix all the problems without impacting existing applications, he said. Meanwhile, Microsoft recommends users upgrade to IE 8, sign up for Microsoft Update and enable the automatic update functionality to ensure their browser is up to date with the most secure version. See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.