Newsletters
News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
This ad will display for the next 20 seconds. Click for more information, or
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
APC Free White Paper
Optimize your network investment &
Enter to win a Samsung Galaxy Note

www.apc.com
Enterprise I.T.
24/7/365 Network Uptime!
Average Rating:
Rate this article:  
Is Your Enterprise at Risk from IE Zero-Day Flaw?
Is Your Enterprise at Risk from IE Zero-Day Flaw?

By Jennifer LeClaire
April 30, 2014 10:29AM

    Bookmark and Share
"The best advice is to ensure all systems have EMET (Microsoft's Enhanced Mitigation Experience Toolkit) deployed and that unnecessary browser add-ons are disabled. This should be part of an enterprise's standard security posture and shouldn't require extra cycles or last-minute deployment," said security researcher Tyler Reguly.
 



After announcing a zero-day vulnerability in Internet Explorer over the weekend, Microsoft has updated its advisory to make the workarounds more clear for enterprises affected. The good news is attacks in the wild only affect versions 9, 10 and 11.

First, let's review the danger. Microsoft reported that an attacker that successfully exploits this vulnerability -- which uses Adobe Flash as a way in -- could gain the same user rights as the computer's user.

"If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system," Redmond said. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Microsoft suggested its Enhanced Protection Mode as a workaround. EPM is a feature found in IE 10 and 11 on 64-bit systems.

The update Tuesday to the weekend security advisory clarifies that EPM will help protect users of Internet Explorer 10 on Windows 7 for x64-based systems, Windows 8 for x64-based systems, and Windows RT, and Internet Explorer 11 on Windows 7 for x64-based systems, Windows 8.1 for x64-based systems, and Windows RT 8.1.

When Will the Madness End?

We caught up with Jeff Davis, vice president of engineering at security solutions firm Quarri Technologies, to get his take on the zero-day flaw. He told us browser vendors will never patch the "last vulnerability," and we'll probably always have to deal with new zero-day drive-by exploits from time to time.

"To give you an idea of the complexity of modern browsers, Chrome and Firefox each have more than 7 million lines of code and average more than 4,000 commits per month," said Davis. "Even if one of them spent three months doing a massive security audit, by the time they finished there would be 12,000 additional changes to review."

On top of that, Davis said, security audits don't pay the bills unless you're the auditor, so patching issues will always be to some extent a reactive process. Given all this, he concluded, purpose-built browser security solutions are a necessity these days for browsers that handle sensitive information.

Who's Most at Risk?

Tyler Reguly, manager of security research at security software firm Tripwire, told us many enterprises users don't have permissions to install alternatives to IE -- so it's gong to continue to be a target for attackers.

"People are overlooking Microsoft's mention of 'limited, targeted attacks.' Exploits for the vulnerability aren't widespread yet and may not become widespread before patches are released," Reguly said. (continued...)

1  |  2  |  Next Page >

 

Tell Us What You Think
Comment:

Name:



APC has an established a reputation for solid products that virtually pay for themselves upon installation. Who has time to spend worrying about system downtime? APC makes it easy for you to focus on business growth instead of business downtime with reliable data center systems and IT solutions. Learn more here.


 Enterprise I.T.
1.   IBM Beefs Up Identity Intelligence
2.   USB Security Flaw Uncovered
3.   AMD Debuts 64-Bit ARM Server Chips
4.   Asana Revamps Mobile App
5.   BlackBerry Acquires Secusmart


advertisement
IBM Beefs Up Identity Intelligence
To offer biz better security products.
Average Rating:
AMD Debuts 64-Bit ARM Server Chips
New Opterons target data center needs.
Average Rating:
Dell, BlackBerry Downplay Threat
Say Apple-IBM alliance can't hurt them.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
New 'Backoff' Malware Slips Undetected into Retail Systems
'Malicious actors' are using a new variety of malware to access consumer payment data remotely through point-of-sale systems, according to a report from the Department of Homeland Security.
 
IBM Beefs Up Identity Intelligence Security Solutions
Big Blue is betting big on identity intelligence. IBM just acquired a private firm with security software to govern user access to apps and data across cloud and on-premise environments.
 
USB Security Flaw Lets Hackers Hijack PCs
Hackers can use the firmware that controls USB functions to take control of computers, say security experts. That means there may be a new class of attack for which there are no defenses.
 

Enterprise Hardware Spotlight
AMD's ARM-Based Opteron Out in $3K Dev Kit
It's dubbed "Seattle" and it's AMD's first 64-bit ARM-based Opteron processor. The low-power chip is being released as part of AMD’s Opteron A1100-series developer kit, and aimed at high-end data center needs.
 
Apple Updates MacBook Pros, Cuts Prices Up to $100
The popular MacBook Pro laptop line just got an update and a price cut of as much as $100. The MacBook Pro with Retina display now includes faster processors and double the memory.
 
Dell, BlackBerry Not Sweating Apple-IBM Alliance
IBM's recent move to partner with Apple to sell iPhones and iPads loaded with corporate applications has excited investors in both companies, but two rivals say they are unperturbed for now.
 

Mobile Technology Spotlight
Virgin Mobile Offers Custom Smartphone Plans
As the wireless carrier wars continue heating up, Virgin Mobile just threw the customization coal onto the fire. The firm has debuted a no-annual-contract plan with rates based on individual use.
 
Collaboration Provider Asana Revamps Mobile App
Asana, a collaboration software provider started by a Facebook founder, is now out with a rebuilt native iOS mobile app. It replaces one that even the company admits was not up to par.
 
FTC Wants Fix for 'Perfect Scam' of Mobile Cramming
The U.S. Federal Trade Commission has issued new guidelines to curb “mobile cramming,” a troublesome practice that adds unauthorized third-party charges to mobile phone bills.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.