Microsoft issues Fix It for IE vulnerability

Microsoft issues Fix It for IE vulnerability

According to this Computerworld article and Security Garden Blog:

Microsoft has released a quick fix for a vulnerability in older versions of its Internet Explorer browser that is actively being used by attackers to take over computers.

Microsoft Fix it

Microsoft Fix it

Fix it for Security Advisory 2794220 now available – Microsoft TechNet Blog

We have updated Security Advisory 2749920 to include the Fix it we discussed in Saturday’s blog post.  This easy, one-click Fix it is available to everyone and prevents the vulnerability from being used for code execution without affecting your ability to browse the Web. Additionally, applying the Fix it does not require a reboot. While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix it to help protect their systems.

BOLD emphasis mine.

Even if you use another browser, this Fix it should still be applied.

Advertisements

Dangerous Internet Explorer Flaw Jeopardizes GMail accounts

‘State-sponsored attackers’ using IE zero-day to hijack GMail accounts – ZDNet:

Microsoft’s advisory speaks of “active attacks” and follows a separate note from Google that references the IE flaw “being actively exploited in the wild for targeted attacks.”

IMPORTANT: This is not the MS12-037 that Microsoft just patched this week on Patch Tuesday.

This is a zero-day vulnerability. Both Microsoft and Google have issued warnings regarding it.

There are Twitter warnings all over the place about “Warning: State-Sponsored attackers may be trying to compromise your account or computer“.

In leiu of a patch for Internet Explorer to fix this vulnerability, Microsoft has devised a “FixIt” Tool intended to block the attack vector:

Microsoft Knowledge Base Article 2719615

Also, according to the ZDNet article:

Microsoft also recommends that Windows users deploy the Enhanced Mitigation Experience Toolkit (EMET), which helps prevent vulnerabilities in software from successfully being exploited.

However, either way, it makes great sense to use Microsoft’s “FixIt” Tool to mitigate this zero-day Internet Explorer vulnerability whether you use Internet Explorer or not.

If you do not wish to use the “FixIt Tool”, you could also use the pre-advisory instructions under the Suggested Actions section to mitigate the problem by disallowing Active Scripting from automatically running on your system (set it to prompt you to allow).

New Flash Player Zero Day

[tweetmeme source=”franscomputerservices” only_single=false]ZDNet reports, Adobe warns of new Flash Player zero-day attack:

Hackers are embedding malicious Flash Player files in Microsoft Word documents to launch targeted attacks against select businesses, according to a warning from Adobe.

These are being used to steal secrets from corporations, likely through downloaded and emailed MS Word documents such as Excel.

Adobe is working on patches for Flash 10.2.x and for earlier versions as well, for just about every OS out there.

Adobe Reader X protected mode will “prevent an exploit of this kind from executing.” The actual fix won’t come till their normal patch cycle in June for Adobe Reader. So be sure to get the latest version (Adobe Reader X)!

Much more in the article including information and links to Adobe’s security release.