Microsoft Releases Security Advisory for Internet Explorer

Original release date: September 18, 2013

Microsoft has released Security Advisory 2887505 regarding a remote code execution vulnerability (CVE-2013-3893) impacting Internet Explorer versions 6 through 11. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. The Microsoft Fix it solution, "CVE-2013-3893 MSHTML Shim Workaround," prevents exploitation of this issue.

US-CERT encourages administrators to review Microsoft Security Advisory 2887505 and Knowledge Base article 2887505 and follow best practice security policies to determine which updates should be applied.


This product is provided subject to this Notification and this Privacy & Use policy.


NSA aims to plug holes that sprang Snowden leaks

Trying to prevent the kind of leaks carried out by former contractor Edward Snowden, National Security Agency (NSA) officials will now tag sensitive documents and data with digital identifiers that limit access to select intelligence analyst, according to a published report. The measure is one of several security reforms being implemented three months after the publication of reams of highly classified reports documenting the agency's expansive surveillance programs.

In addition to allowing sensitive materials to be accessed only by people who have a documented need to review them, the tags will allow NSA leaders to better track what individuals do with the data, National Public Radio reported Wednesday. "Could someone today do what [Snowden] did? No," NSA CTO Lonny Anderson told the news service.

Another reform the NSA has implemented is designed to remove anonymity from the network. "If you've got privileged access to our network, like a systems administrator [has], if you're being given a privilege that very few people have, you're not going to do anything alone," Anderson said. Additionally, NSA security officers are now limiting the options employees have for storing data on their own thumbdrives and other storage devices. As of June, when Snowden reportedly handed over documents to reporters, some NSA computers were equipped with USB ports that connected with thumbdrives. That has since changed.

Read 2 remaining paragraphs | Comments


    






Researchers can slip an undetectable trojan into Intel’s Ivy Bridge CPUs

Scientists have developed a technique to sabotage the cryptographic capabilities included in Intel's Ivy Bridge line of microprocessors. The technique works without being detected by built-in tests or physical inspection of the chip.

The proof of concept comes eight years after the US Department of Defense voiced concern that integrated circuits used in crucial military systems might be altered in ways that covertly undermined their security or reliability. The report was the starting point for research into techniques for detecting so-called hardware trojans. But until now, there has been little study into just how feasible it would be to alter the design or manufacturing process of widely used chips to equip them with secret backdoors.

In a recently published research paper, scientists devised two such backdoors they said adversaries could feasibly build into processors to surreptitiously bypass cryptographic protections provided by the computer running the chips. The paper is attracting interest following recent revelations the National Security Agency is exploiting weaknesses deliberately built-in to widely used cryptographic technologies so analysts can decode vast swaths of Internet traffic that otherwise would be unreadable.

Read 7 remaining paragraphs | Comments


    






New Internet Explorer Zero-day Found in Targeted Attacks

On September 17, Microsoft issued an advisory reporting a new zero-day vulnerability in Internet Explorer: Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893). The advisory states that the vulnerability may corrupt memory in a way that could allow attackers to execute arbitrary code. The attack works by enticing users to visit specially crafted websites that host the vulnerability through Internet Explorer. Microsoft also states that at this time the vulnerability is known to be exploited in only a limited number of targeted attacks.

While Microsoft is yet to release a patch for this vulnerability, they have provided a temporary "Fix It” tool solution as a workaround until a security update is made available. To ensure Symantec customers are protected against this Internet Explorer zero-day, the following protection has been put in place:

Antivirus

Intrusion Prevention System

Symantec will continue to investigate this attack to ensure the best possible protection is in place. As always, we recommend that users keep their systems up-to-date with the latest software patches and refrain from opening any suspicious emails. We also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.