Windows 10: Temporary micropatch available for zero-day Windows exploit

"A publicly disclosed Windows zero-day vulnerability could allow attackers to take full control of systems once they compromise a low-privilege account. Here's a fix."

Source: Temporary micropatch available for zero-day Windows exploit

:)

 

IE10 zero day exploit and mobile browser

New Windows Phone user here. I read about this IE10 zero day and wondered if it could affect me.



New zero-day bug in IE 10 exploited in active malware attack, MS warns (updated)



Is it safe to say that because Windows Phone uses the mobile version of IE10 it isn't affected by this as the desktop version of IE10 would be?

 

Cisco zero-day exploited in the wild to crash and reload devices

https://tools.cisco.com/security/cen...asaftd-sip-dos

Cisco zero-day exploited in the wild to crash and reload devices | ZDNet

 

Internet Explorer hit by zero-day exploit, temporary fix issued



Microsoft is urging users of Internet Explorer to download a free security tool, enhanced Mitigation Experience Toolkit (EMET), as an interim measure against a previously unknown zero-day exploit in its web browser software that is under active malware attack by hackers.

Eric Romang, a researcher in Luxemburg, discovered it on Friday after finding his computer infected by the Poison Ivy Trojan, used by hackers to gain remote access to their victims' computers to steal data. According to Romang, further analysis revealed it got onto his computer via a flaw in Internet Explorer.

Poison Ivy exploits a “use-after-free vulnerability” in IE that enables a hacker to create an image URL referencing uninitialized memory. This corrupts the memory and once completely executed gives the attacker remote access with the same permissions as the current user

The vulnerability affects computers running all versions of Internet Explorer from IE6 to IE9, on every single OS release since Windows XP right through to Windows 7 and Server 2008. Interestingly though, Microsoft’s IE 10 running on Windows 8 and Server 2008 are not affected according to Microsoft’s Security Advisory.

“What may be most worrying is that Windows Vista and 7 don’t protect you,” said HD Moore, CSO of security firm Rapid 7, and the chief architect of the Metasploit tool kit, used widely by penetration testers and hackers. “This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS. The surprising thing about this is the fact they (Metasploit researchers) got [it] to work across every one of these platforms.”

The flaw could be sidestepped by upgrading from Oracle’s Java Standard Edition 6 to the newer Java Standard Edition 7 version, though this is not recommended as there is another critical flaw that Oracle hasn’t yet acknowledged or patched in Java 7 Update 7, which could allow an attacker to take control of the computer, according to Ars Technica.

The interim fix using EMET will likely prove complicated for many, especially businesses who may suffer adverse effects with existing software used on their networks. Because of this, security firms such as Symantec recommend computer users switch to an alternative browser like Chrome or Firefox, at least until Microsoft releases a permanent fix to plug the exploit.

http://www.techspot.com/news/50193-...by-zero-day-exploit-temporary-fix-issued.html