Microsoft’s new flagship operating system Windows 8 was released at the end of October, but with its release, so has a new zero-day. In a recent article in SC Magazine, the article describes how the French security firm Vupen is offering the recently discovered zero-day for sale. In fact, a mere $50,000.00 could allow you to obtain the vulnerability that has been described as affecting the new Internet Explorer 10 browser.
According to the article:
Last week, Vupen CEO Chaouki Bekrar tweeted that “various” IE10 and Windows 8 vulnerabilities had been combined to circumvent exploit mitigation safeguards in Windows 8, which was released to the public on Oct. 26. The exploit was reportedly not disclosed to Microsoft, nor was its price made public. Vupen did reveal that the zero-day could allow a particularly skilled hacker to bypass embedded security measures, which include high-entropy address space layout randomization (HiASLR), anti-return oriented programming (AntiROP), data execution prevention (DEP) and protected-mode sandbox.
According to the article, Vupen only sells the vulnerability information to governments and business, but this is very concerning. The fact that they have not shared it with Microsoft, this could become a way to hold applications, business and governments hostage. Secure coding needs to be the priority of developers and the time to market needs to be properly married to insuring limited vulnerabilities.
Microsoft has released Microsoft Security Advisory (2757760) regarding the zero-day vulnerability within IE. According to the advisory:
Microsoft is investigating public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability.
The advisory does not provide a fix, but continues to point users to “Microsoft Security Best Practice.” It may be worthwhile for users to either start using Chrome or Firefox or upgrade from WIndows XP and Vista. It is still to early to know if it will be worth the upgrade to Windows 8…
A new zero-day exploit has been identified for Internet Explorer in the wild. There is still no CVE numbering or data, but the vulnerability is associated with a flaw related to the manipulation of the img arrays that could allow a context dependent attacker to execute arbitrary code.
In an advisory posted August 16 Microsoft Security Advisory (2661254) , Microsoft warns that systems using RSA certificates less than 1024 will no longer be supported. While this is almost a month old, the Official Microsoft TechNet Blog on September 6 is re-iterating the issue and alert for businesses to update the keys being used in advance of the October Windows Update push.
The blog states the following:
“As many of you are aware, Security Advisory 2661254 was initially made available in August via the Download Center and the Microsoft Update Catalog, with distribution through Windows Update planned for October 2012. To help ensure that all customers are prepared for the update, we are reiterating those announcements before releasing the requirement change with our monthly bulletins on Oct. 9. Though many have already moved away from such certificates, customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories – in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they “still work” and have not had any cause for review for some time.”
Microsoft is trying to sway those that do not patch or that are slow to patch that their systems may soon break as a result of this change. What is important to note, is that this will also impact end users as well. Which means that business could get calls from customers unable to access websites that have not updated their certificates.