Microsoft investigating IE, FTP security vulnerabilities

Proof-of concept-flaw in Explorer affects all versions of the browser

Microsoft's security team announced late last month that it is investigating two proof-of-concept flaws in Microsoft's Web-related software.

One of the flaws offers a possible avenue for remote code execution attacks via Internet Explorer. The other flaw could enable denial-of-service attacks by exploiting a vulnerability in Internet Information Services FTP 7.5, which runs as a part of Windows 7 and Windows Server 2008 R2.

The IE proof-of-concept flaw potentially affects all versions of Microsoft's Web browser. It supposedly works by bypassing protections normally enabled by Microsoft's address space layout randomization (ASLR) and data execution prevention (DEP) technologies. Microsoft described the problem in a blog post in December, suggesting that users could deploy Microsoft's Enhanced Mitigation Experience Toolkit (EMET) as a workaround.

Microsoft also issued security advisory 2488013 last month about the IE vulnerability. The advisory describes "mitigating factors," including the common practice of keeping software updated, using antivirus solutions and enabling a firewall. The two suggested workarounds in the security advisory included using EMET and boosting the local intranet security zone settings in IE to "high." Upping those settings will block ActiveX and active scripting in that zone.

Microsoft may elect to issue a patch for the IE flaw through its monthly update services or it may release a so-called "out-of-band" patch. However, the security advisory did not indicate when to expect such a fix, if it's coming. The flaw would typically be triggered by first directing an IE user to a malicious Web site, according to the security advisory.

The IIS FTP 7.5 flaw could offer a way to enable denial-of-service attacks, according to a Microsoft blog post. Microsoft is investigating the problem, which is associated with how the FTP server encodes a Telnet "interpret as command" character. An attacker could possibly exploit a heap buffer overrun as a consequence of this flaw, enabling a denial-of-service attack on a site.

The company did not issue a security bulletin for the FTP 7.5 flaw, but the blog indicated that the security team may issue a fix through its monthly security update process or provide "additional guidance to help customers protect themselves."

About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including Redmondmag.com, RCPmag.com and MCPmag.com.

inside gcn

  • urban air mobility (NASA)

    NASA seeks partners for urban air mobility challenge

Reader Comments

Wed, Jan 5, 2011 RayW

This is news? I assume that Microsoft is flawed, historically speaking. Since Microsoft does very little innovation, just copying or buying ideas and features and making cosmetic/interface changes to look like a new program or to mess up competition, they have always had software with vulnerabilities. Although to be honest, I have never seen a complex program that did not have a way of crashing/hacking it, too many assumptions to make (and keeps me employed). But considering the amount of effort that Microsoft spends on making their products harder to use in the name of anti piracy, 'innovation', and corporate security, spending some of that money on correctly integrating and fixing the 'borrowed'/bought ideas would be better for us the users.

But apparently in the Microsoft corporate mind, flaws only exist for less than six years (from Microsoft Support Lifecycle for WIN 7 Home on 05JAN2011), then you can stop supporting the software and say that the victims have to buy the next version which has no vulnerabilities (despite the fact that often all the newest software is just an overlay on the previous version of software). And of course, if no one points out the flaw or makes a fuss over it, then it is a non-issue and you can table it (sounds like a Dilbert cartoon).

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group