Microsoft points to security tool to plug IE vulnerability

Microsoft points to security tool to plug IE vulnerability

Summary: Windows users are asked to download free security software following the recent discovery of a zero-day vulnerability in Internet Explorer.

SHARE:
27

Microsoft has urged Windows users to install a free security software to protect their PCs from a newly discovered vulnerability in its Internet Explorer browser.

The software giant said it will advise customers on its Web site to install the software as an interim measure, buying some time for it to fix the bug and release a new, more secure version of Internet Explorer, Reuters reported on Monday.

The free security tool, called the Enhanced Mitigation Experience Toolkit (EMET), will prevent hackers from gaining access to Windows-based systems and is currently available on Microsoft Web site.

This comes after security researcher Eric Romang discovered a new zero-day vulnerability in Internet Explorer, which he claimed woud affect fully patched versions of Microsoft Internet Explorer 7, 8 and 9.

Topics: Security, Browser, Microsoft

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • Microsoft releases security software for IE vulnerability

    Enhanced Mitigation Experience Toolkit (EMET) has always been available.

    Complete list of Workarounds are listed in advisory;
    technet.microsoft.com/en-us/security/advisory/2757760
    RickLively
    • EMET 3 makes a difference

      I remember looking at EMET and thinking deployment within the enterprise would be cumbersome even after app compatibility was tested for. Now at least they have released ADML/ADMX files so that changes arising from discovered incompatibilities can be rapidly dealt with. We are also on Office 2007 whereas the first time I looked at EMET we had a substantial base of Office XP which was not compiled with support for DEP.
      dowlingm
  • thanks for the update

    thank you for the informative update, it was short and to the point. When I saw a similar report in mashable, I found it to be virtually unreadable and how it conveyed what was going on and what normal end-users or advised to do. your update was a breath of fresh air. Keep up the good writing
    jij98111@...
  • An tool..

    Why not fix Microsoft software in the first place, instead of releasing yet another piece of buggy software?

    If you can't trust IE, why should you trust EMET?
    danbi
    • You can't fix something when the exploit hasn't been found yet.

      The computer science 101: All software have flaws in it.

      Same logic goes for the huge security upate to iTunes and Webkit update, just be thankful Microsoft does a better job or communication and have a faster response other vendors that keep users in the dark.
      Samic
      • What vendor(s) are keeping you in the dark?

        “ vendors that keep users in the dark.”
        RickLively
    • danby fools

      dude where is your valid argument?
      an opinion is allowed, but you don't present a valid argument
      you present yourself as an idiot
      techguru@...
  • Microsoft points to security tool to plug IE vulnerability

    Kudos to Microsoft for releasing this tool free of charge. There are plenty of good ways to protect yourself when using IE, its got built in tools to do this as well.
    Loverock Davidson-
    • What tools?

      “its got built in tools to do this as well.”

      Protect IE7, IE8 and IE9.
      RickLively
    • EMET is not new

      EMET v1.0 was released in October 2009, so it is not a new tool. If you weren’t aware of this fact, you should follow Microsoft’s security blogs more closely:

      http://blogs.technet.com/b/srd/archive/2009/10/27/announcing-the-release-of-the-enhanced-mitigation-evaluation-toolkit.aspx

      Microsoft Security Response Center Blog:
      http://blogs.technet.com/msrc/

      Microsoft Security Research and Defense Blog:
      http://blogs.technet.com/srd/default.aspx

      Microsoft Security Blog:
      http://blogs.technet.com/b/security/

      Microsoft Malware Protection Blog:
      http://blogs.technet.com/b/mmpc/

      Internet Explorers built in mitigations are separate to EMET’s capabilities but do compliment them. IE does not have EAF, Null Page Allocation or Heap Spray allocation mitigations (although HEASLR of IE 10 64 bit does help to protect against heap spray techniques).

      A full list of IE 10 security mitigations is given in the following blog post:

      http://blogs.msdn.com/b/ie/archive/2012/03/12/enhanced-memory-protections-in-ie10.aspx

      More information about the type of mitigations that EMET has is located at the following link:

      http://www.infoworld.com/t/microsoft-windows/microsoft-shuffles-windows-security-deck-emet-21-831

      I hope this helps. Thank you.
      JimboC421
  • how about IE 10?

    is that vulnerable also, or not. Getting info on updates tricky on Win 8 RTM
    Old Dog V
    • IE 10 is not vulnerable

      Hi Old Dog V,

      IE10 is not vulnerable according to Microsoft’s Security Advisory:

      http://technet.microsoft.com/en-us/security/advisory/2757760

      I hope this helps. Thank you.
      JimboC421
      • Could be a slick MS trick to get the sheep peeps to move forward

        And smack into Metrosexual Explorer territory. I smell a rat.
        klumper
  • What the H...

    is an "enhanced mitigation experience"??? LOL Does M$ even pause and read their stuff anymore before just throwing it out there? I mean, yeah...I sure hope for an enhanced mitigation experience, instead of a lesser mitigation experience. [eyeroll]
    Techboy_z
    • EMET

      Hi techboy_z,

      Agreed, when they released EMET in October 2009, from what I can tell, not much thought was given to its name. My choice would be Enhanced Mitigation Toolkit or simply Mitigation Toolkit. I can see the rationale for including “Enhanced” since at the time, the mitigations available in EMET were not widely (if at all) available in Windows and/or Internet Explorer.

      What has happened since is that Windows and Internet Explorer are receiving more and more security defences. It seems to be working too since IE 10 is not vulnerable to this exploit. However, given time, those defences will inevitably be overcome. It’s strange, there appears to be a race to find a flaw when a new OS is made available. I have seen it happen several times over the years where an exploit is almost available with 1 week of release.

      Thanks.
      JimboC421
    • Not to worry

      @techboy_z
      "What the H... is an "enhanced mitigation experience"??? LOL Does M$ even pause and read their stuff anymore before just throwing it out there?"

      They'll get around to renaming it soon enough so it makes more sense, like they do with all their products. You know, something like "Windows Live ----".

      Oh wait...
      klumper
  • good news

    @JimboC421

    thanx for word.
    the auto update thingy is not what I really like, little info there, no choices. Presumably will be better when on open market.
    Old Dog V
    • Re: good news

      Hi Old Dog V,

      You are more than welcome.

      If you are referring to the auto updater to be made available next month for the less than 1024 bit certificates, you can find all of the information about it from the following articles:

      http://blogs.technet.com/b/msrc/archive/2012/09/06/september-ans-and-an-important-heads-up-concerning-certificates.aspx

      http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx

      http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx

      http://blogs.technet.com/b/pki/archive/2012/08/14/blocking-rsa-keys-less-than-1024-bits-part-3.aspx

      If you are referring to Automatic Updates of Windows, I can answer any of the questions you may have about it. You are right; there will be more info about Windows 8 in general after October 26th when it is available on the open market.

      Yes Windows 8 has reached RTM but only to corporate customers and MDSN subscribers.
      If I can assist further, please let me know since I follow security and product news from Microsoft closely.

      Thank you.
      JimboC421
  • Better to just download, install and use an alternate web browser

    until Microsoft patches this vulnerability.

    Google Chrome, Mozilla Firefox and Opera are fine alternatives.
    Rabid Howler Monkey
  • EMET is not much of a solution.

    Very recently from Reuters: "The German government urged the public on Tuesday to temporarily stop using Microsoft Corp's Internet Explorer following discovery of yet-to-be repaired bug in the web browser that the software maker said makes PCs vulnerable to attack by hackers."

    Further down, Reuters also mentions Microsoft's response as urging its customers to use EMET: "The EMET software must be downloaded, installed and then manually configured to protect computers from the newly discovered threat, according to the posting from Microsoft. The company also advised customers to adjust several Windows security settings to thwart potential attackers, but cautioned that doing so might impact the PC's usability."

    Seriously, the average computer user has no clue how to do any of this stuff, and word has it that EMET only protects against less sophisticated attacks (An Iranian researcher named Shahriyar Jalayeri posted two exploits last month that bypassed EMET protection.)
    JustCallMeBC