Microsoft investigating IE, FTP security vulnerabilities

Proof-of concept-flaw in Explorer affects all versions of the browser

Microsoft's security team announced late last month that it is investigating two proof-of-concept flaws in Microsoft's Web-related software.

One of the flaws offers a possible avenue for remote code execution attacks via Internet Explorer. The other flaw could enable denial-of-service attacks by exploiting a vulnerability in Internet Information Services FTP 7.5, which runs as a part of Windows 7 and Windows Server 2008 R2.

The IE proof-of-concept flaw potentially affects all versions of Microsoft's Web browser. It supposedly works by bypassing protections normally enabled by Microsoft's address space layout randomization (ASLR) and data execution prevention (DEP) technologies. Microsoft described the problem in a blog post in December, suggesting that users could deploy Microsoft's Enhanced Mitigation Experience Toolkit (EMET) as a workaround.

Microsoft also issued security advisory 2488013 last month about the IE vulnerability. The advisory describes "mitigating factors," including the common practice of keeping software updated, using antivirus solutions and enabling a firewall. The two suggested workarounds in the security advisory included using EMET and boosting the local intranet security zone settings in IE to "high." Upping those settings will block ActiveX and active scripting in that zone.

Microsoft may elect to issue a patch for the IE flaw through its monthly update services or it may release a so-called "out-of-band" patch. However, the security advisory did not indicate when to expect such a fix, if it's coming. The flaw would typically be triggered by first directing an IE user to a malicious Web site, according to the security advisory.

The IIS FTP 7.5 flaw could offer a way to enable denial-of-service attacks, according to a Microsoft blog post. Microsoft is investigating the problem, which is associated with how the FTP server encodes a Telnet "interpret as command" character. An attacker could possibly exploit a heap buffer overrun as a consequence of this flaw, enabling a denial-of-service attack on a site.

The company did not issue a security bulletin for the FTP 7.5 flaw, but the blog indicated that the security team may issue a fix through its monthly security update process or provide "additional guidance to help customers protect themselves."

About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including Redmondmag.com, RCPmag.com and MCPmag.com.

Featured

  • Management
    people standing on keyboard (Who is Danny/Shutterstock.com)

    OPM-GSA merger plan detailed in legislative proposal

    The White House is proposing legislation for a dramatic overhaul of human resources inside government and wants $50 million to execute the plan.

  • Cloud
    cloud applications (chanpipat/Shutterstock.com)

    GSA plans civilian DEOS counterpart

    GSA is developing a cloud email and enterprise services contract inspired by the single-source vehicle the Department of Defense devised for back-office software.

  • Defense
    software (whiteMocca/Shutterstock.com)

    DOD looks to unify software spending for 2020

    Defense Department acquisition head, Ellen Lord, hopes to simplify software buying and improve business systems following the release of the Defense Innovation Board's final software acquisition study.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.