Happy New Year, gang. This morning, I did a little research about
this security flaw in IE 8, 7 and6, and found the following FAQ's that
explain it in more detail on the Microsoft Security Advisor web site.
It sounds like engaging in safe browsing practices can minimize the
risk of being exploited by hackers who attempt to take advantage of
this flaw. So contrary to the advice offered by Kim Commando, it may
not be necessary to ditch IE altogether and switch to another browser
as long as you don't click on suspiciouslinks or attachments in email
messages and otherwise follow safe browsing techniques:
"What is the scope of the advisory?
Microsoft is aware of a new vulnerability that affects Internet Explorer.
Is this a security vulnerability that requires Microsoft to issue a
security update?
On completion of our investigation, Microsoft will take the
appropriate action to protect our customers, which may include
providing a solution through
our monthly security update release process, or an out-of-cycle
security update, depending on customer needs.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain
the same user rights as the current user. If the current user is
logged on with administrative
user rights, an attacker who successfully exploited this vulnerability
could take complete control of an affected system. An attacker could
then install
programs; view, change, or delete data; or create new accounts with
full user rights.
How could an attacker exploit the vulnerability?
An attacker could host a specially crafted website that is designed to
exploit this vulnerability through Internet Explorer and then convince
a user to
view the website. The attacker could also take advantage of
compromised websites and websites that accept or host user-provided
content or advertisements.
These websites could contain specially crafted content that could
exploit this vulnerability. In all cases, however, an attacker would
have no way to force
users to view the attacker-controlled content. Instead, an attacker
would have to convince users to take action, typically by getting them
to click a link
in an email message or in an Instant Messenger message that takes
users to the attacker's website, or by opening an attachment sent
through email.
I am running Internet Explorer for Windows Server 2003, Windows Server
2008, or Windows Server 2008 R2. Does this mitigate this vulnerability?
Yes. By default, Internet Explorer on Windows Server 2003, Windows
Server 2008, and Windows Server 2008 R2 runs in a restricted mode that
is known as
Enhanced Security Configuration.
Enhanced Security Configuration is a group of preconfigured settings
in Internet Explorer that can reduce the likelihood of a user or
administrator downloading
and running specially crafted web content on a server. This is a
mitigating factor for websites that you have not added to the Internet
Explorer Trusted
sites zone.
What is the Enhanced Mitigation Experience Toolkit v3.0 (EMET)?
The Enhanced Mitigation Experience Toolkit (EMET) is a utility that
helps prevent vulnerabilities in software from being successfully
exploited. EMET achieves
this by using security mitigation technologies. These technologies
function as special protections and obstacles that an exploit author
must defeat in
order to exploit software vulnerabilities. These security mitigation
technologies do not guarantee that vulnerabilities cannot be
exploited, but work to
make exploitation as difficult to accomplish as possible. In many
instances, a fully functional exploit that can bypass EMET may never
be developed. For
more information, see
Microsoft Knowledge Base Article 2458544.
Does EMET help mitigate attacks that try to exploit this vulnerability?
Yes. The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate
the exploitation of this vulnerability by adding additional protection
layers that
make the vulnerability harder to exploit. EMET is a utility that helps
prevent vulnerabilities in software from being successfully exploited
for code execution,
by applying the latest security mitigation technologies. At this time,
EMET is provided with limited support and is only available in the
English language.
For more information, see
Microsoft Knowledge Base Article 2458544."
Gerald
----- Original Message ----- From: "Greg Washington"
<[email protected]>
To: <[email protected]>
Sent: Monday, December 31, 2012 5:53 PM
Subject: [JAWS-Users] Serious security flaw in IE7,8 and possibly 9?
I subscribe to the Kim Komando newsletter. She just sent out a special
security alert warning against hackers exploiting flaws in IE6,7,8
and even
9 that can allow someone to completely take over your computer. She
recommends switching to either IE10 or Firefox or chrome. Which of
these
alternatives to Ie6-9 work best with Jaws? I am using Jaws 13.0.1006
on a
windws 7 computer. The link to her alert is below.
http://www.komando.com/tips/index.aspx?id=13834&utm_medium=nl&utm_source=ale
rts&utm_content=2012-12-31-article-in-body-a
Greg Washington
For answers to frequently asked questions about this list visit:
http://www.jaws-users.com/help/
For answers to frequently asked questions about this list visit:
http://www.jaws-users.com/help/
