Security threats Toolkit
Story: Microsoft: Hole exploit threatens all IE versions
IE IE OH!
This is the second time in 18 months that Microsoft has gone out of band to release an emergency patch (last time being October for the RPC issue) for the Internet Explorer, which is being actively exploited right now. There has been Proof of Concept (POC) code for the exploit available since December 11th. Coming just the week before christmas and given the wide use of IE within business enterprises and severity of the vulnerability, clearly IT professionals need to patch this vulnerability as soon as business conditions permit. There were over 100 websites on the Dec 11th hosting some type of malware associated with this vulnerability. Today, that has grown to thousands of sites now hosting the malware.
Microsoft felt this issue warranted an out of band patch due to the underlying exploit being actively used in the wild and damage was mounting. Their are reports of up to 6000 compromised web sites hosting web pages that take advantage of the vulnerability.
A recent study titled “Understanding the Web browser Threat: Examination of Vulnerable Online Web browser Populations and the Insecurity Iceberg" found that 57% of IE users were not running the most current version that’s patched. This will be a wake up call to IT professionals to make sure to patch their browsers. This speaks volumes to the underlying problem with web-borne malware. We as a community are constantly trying to outsmart the bad guys on their delivery method. However, it is not necessarily a delivery / obfuscation issue – the underlying issue is a failure to patch, including their browsers. A recent Verizon study showed that over 70% the exploits used in web-borne malware had vendor patches available for up to a year and less then 1% had patches available within a 30 day window. The web-borne malware issue is a patch management issue and can be simply fixed by patching in a timely fashion according to industry best practices.
Full Talkback thread
