Microsoft investigating IE, FTP security vulnerabilities

Proof-of concept-flaw in Explorer affects all versions of the browser

Microsoft's security team announced late last month that it is investigating two proof-of-concept flaws in Microsoft's Web-related software.

One of the flaws offers a possible avenue for remote code execution attacks via Internet Explorer. The other flaw could enable denial-of-service attacks by exploiting a vulnerability in Internet Information Services FTP 7.5, which runs as a part of Windows 7 and Windows Server 2008 R2.

The IE proof-of-concept flaw potentially affects all versions of Microsoft's Web browser. It supposedly works by bypassing protections normally enabled by Microsoft's address space layout randomization (ASLR) and data execution prevention (DEP) technologies. Microsoft described the problem in a blog post in December, suggesting that users could deploy Microsoft's Enhanced Mitigation Experience Toolkit (EMET) as a workaround.

Microsoft also issued security advisory 2488013 last month about the IE vulnerability. The advisory describes "mitigating factors," including the common practice of keeping software updated, using antivirus solutions and enabling a firewall. The two suggested workarounds in the security advisory included using EMET and boosting the local intranet security zone settings in IE to "high." Upping those settings will block ActiveX and active scripting in that zone.

Microsoft may elect to issue a patch for the IE flaw through its monthly update services or it may release a so-called "out-of-band" patch. However, the security advisory did not indicate when to expect such a fix, if it's coming. The flaw would typically be triggered by first directing an IE user to a malicious Web site, according to the security advisory.

The IIS FTP 7.5 flaw could offer a way to enable denial-of-service attacks, according to a Microsoft blog post. Microsoft is investigating the problem, which is associated with how the FTP server encodes a Telnet "interpret as command" character. An attacker could possibly exploit a heap buffer overrun as a consequence of this flaw, enabling a denial-of-service attack on a site.

The company did not issue a security bulletin for the FTP 7.5 flaw, but the blog indicated that the security team may issue a fix through its monthly security update process or provide "additional guidance to help customers protect themselves."

About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including Redmondmag.com, RCPmag.com and MCPmag.com.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.