Microsoft Security Advisory 2794220 ~ Security Garden

Saturday, December 29, 2012

Microsoft Security Advisory 2794220

Tweet This

Security Advisory
Microsoft released Security Advisory 2794220 to address an issue that affects Internet Explorer versions 6, 7 and 8.  Internet Explorer versions 9 and 10 are not affected.

At this time, Microsoft is aware of a very small number of targeted attacks.  This issue allows remote code execution if users browse to a malicious website with an affected browser.  Generally, this is a result of an attacker convincing someone to click a link in an email or instant message.

Recommendations:

Microsoft is actively working to develop a security update to address the issue.  In the meantime, please consider the following suggestions:

1.  Update Internet Explorer -- If your operating system is Windows Vista or Windows 7, update to Internet Explorer 9.  For Windows XP, your system will be more secure if you update to Internet Explorer 8.

2.  Update or Uninstall Java -- Current exploits of this type of vulnerability in Internet Explorer use third-party software, including Oracle’s Java, to help obtain reliable exploitation.

Most home computer users no longer need Java.  Following are reasons why someone may need Oracle Sun Java installed on their computer:

  • Playing on-line games generally requires Java.
  • With OpenOffice, Java is needed for the items listed here
  • It used to be that Java was needed for websites to be properly displayed. However, that is generally not the case now with Flash having taken over.
  • There may be commercial programs that depend on Java. If Java is needed for a software installed on your computer, there should be a prompt for it.
If you need Java, be sure you have uninstalled all old, vulnerable versions and have only the most recent release installed on your computer.  The current version of Java is Version 7 Update 10.
 

3.  Install and configure EMET -- The Enhanced Mitigation Experience Toolkit was designed to help prevent hackers from gaining access to your system. It prevents exploitation by applying in-box mitigations to help protect against this and other issues and should not affect usability of websites.

An easy guide for EMET installation and configuration is available in KB2458544.  Additional information about configuring EMET is available in the EMET User's Guide, in the following locations:
  • 32-bit systems -- C:\Program Files\EMET\EMET User's Guide.pdf
  • 64-bit systems -- C:\Program Files (x86)\EMET\EMET User's Guide.pdf
Additional suggestions are available in the MSRC Blog post and the Security Advisory, referenced below.

References:




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: