"Internet Explorer Users: Please Read This"
From Brian Krebs @ his "Krebs on Security" Blog:
Microsoft is urging Windows users who browse the Web with Internet Explorer to use a free tool called EMET to block attacks against a newly-discovered and unpatched critical security hole in IE versions 7, 8 and 9. But some experts say that advice falls short, and that users can better protect themselves by surfing with an alternative browser until Microsoft issues a proper patch for the vulnerability.
EMET, short for the Enhanced Mitigation Experience Toolkit, is a tool that can help Windows users beef up the security of commonly used applications, whether they are made by a third-party vendor or by Microsoft. EMET allows users to force applications to use one or both of two key security defenses built into Windows Vista and Windows 7 — Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system's memory that they need to do their dirty work.
Before I get into the how-tos on EMET, a few caveats. EMET is a great layer of security that Windows users can and should use to enhance the security of applications. But EMET may not block the exploit code now publicly available through the Metasploit framework. In fact, Tod Beardlsey, an engineering manager with Rapid7, the security firm that manages Metasploit, told The Associated Press that EMET does not appear to be completely effective against this exploit.
I asked Metasploit founder HD Moore what he thought was the best way to block this exploit, and he pointed out that the exploit available through Metasploit requires the presence of Java on the host machine in order to execute properly on IE 8/9 on Windows 7 and Vista systems (the exploit works fine without Java against IE7 on XP/Vista and IE8 on XP). Obviously, while the lack of Java on a Windows machine may not prevent other exploits against this flaw, it is a great first start. I have consistently urged computer users of all stripes to uninstall Java if they have no specific use for it.
Using a non-IE browser such as Chrome, Firefox, Opera or Safari is a far safer approach, at least until Microsoft releases a proper patch for this flaw (note that Windows 8 and Internet Explorer 10 are not affected by this vulnerability).
Continued : http://krebsonsecurity.com/2012/09/internet-explorer-users-please-read-this/
Yunsun Wee @ the Microsoft Security Response Center:
September 17, 2012
Today we released Security Advisory 2757760 to address an issue that affects Internet Explorer 9 and earlier versions if a user views a website hosting malicious code. Internet Explorer 10 is not affected.
We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue. In the meantime, customers using Internet Explorer are protected when they deploy the following workarounds and mitigations included in the advisory:
• Deploy the Enhanced Mitigation Experience Toolkit (EMET)
This will help prevent exploitation by providing mitigations to help protect against this issue and should not affect usability of websites.
• Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
Deploying EMET will help to prevent a malicious website from successfully exploiting the issue described in Security Advisory 2757760. EMET in action is unobtrusive and should not affect customers' Web browsing experience.
We are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog and on Twitter at @MSFTSecResponse.
As always, we encourage Internet users to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. Additional information can be found at www.microsoft.com/protect.
* * * * * * * * * * * * * * *
For Further Details See: Microsoft Security Advisory (2757760)
* * * * * * * * * * * * * * *
Java zero-day leads to Internet Explorer zero-day
Exploit Released for Zero-Day in Internet Explorer
Attackers exploit unpatched Internet Explorer vulnerability