RealNews

Patch for 'critical' IE vulnerability doesn't work: Experts

A patch released by Microsoft to fix a critical security vulnerability in Internet Explorer does not work, according to security experts. The “object type” vulnerability was discovered by eEye Digital Security around four months ago. A patch was released on 20 August — and then re-released on 28 August, because under some circumstances it caused problems for some non-default operating system installations — and looks due for yet another re-release because it simply doesn’t fix the vulnerability it is supposed to. The vulnerability can be exploited by crafting a malicious HTML file that, when viewed by an Internet Explorer browser, extracts and executes malicious code. Speaking to ZDNet Australia by phone from the U.S., Marc Maiffret, eEye’s “chief hacking officer”, said the vulnerability is particularly critical because it doesn’t take a lot of effort to take advantage of. “It’s pretty serious just because it’s so easy to exploit… it doesn’t require someone to know how to write buffer overflow exploits or anything like that.” Full Story

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.