Certain period is needed for coping with newly-discovered software security vulnerability.
Zero-day attack is to attack during the period unpatched by the software developer from the newly-discovered security vulnerability.
Therefore, it is very critical security issue.
Microsoft co. reported about the zero-day attack for Internet Explorer (all versions: 6, 7, 8, 9, 10, 11)
- When the user accessed to the web page (embedded the attacked code), the attacker may be able to get the permission of the user’s PC.
*Especially, if the user logs in as the administrator, the attack may be able to get all permission of the user’s PC.
Tentatively stop the use of Internet Explorer If you don’t need to use Internet Explorer, you had better use the other web browser, such as Firefox, Google Chrome and so on as much as possible. Microsoft Internet Explorer Use-After-Free Vulnerability Guidance (US-CERT : The Department of Homeland Security in US)
Confirm “Windows Update” (May 2, 2014)
On May 2, 2014, Microsoft published the fixed patch (MS14-021). According to some news, the patch will be automatically installed to Windows OS, but we strongly recommend the status check of the latest patches by accessing http://update.microsoft.com/microsoftupdate during several days.
How to check the installed patch
- Please see “View Update History Details” and check to apply the patch named “KB2964358″ or “KB2964444”.
Basically, Microsoft Update is available in the PC to which the Office program was installed.
However, in case of special case (*1), please upgrade the setting to Microsoft Update (*2).
*1 A case is the PC to which Office hasn’t installed.
*2 Upgrade to Microsoft Update
- Please access to http://update.microsoft.com/microsoftupdate using Internet Explorer.
At least, Please carry out the following avoidance measures for preventing from various unknown threats.
In case of using Internet Explorer for the special reason
Kyoto University provides the authentication IC service for accessing to the various local service of Kyoto University. For using this service, basically, Internet Explorer is required. Of course, Firefox can use, but the complex setting is required.
About the service, please contact here.
Therefore, Please carry out the countermeasures by seeing the following web page.
- Vulnerability Note VU#222929 – Microsoft Internet Explorer use-after-free vulnerability (US-CERT : The Department of Homeland Security in US)
The Office would like to explain the following two major countermeasures.
* Please remember that these countermeasures are tentative avoidance measure.
Even if these countermeasures are carried out, the security issue exists yet until the security patch is published by Microsoft co.
EMET = Enhanced Mitigation Experience Toolkit
The influence is not to display the web page constructed by VML (Vector Markup Language).
We recommend to use the other web browser if you need to display the VML page.
The support for WindowsXP was finished, so radical countermeasure does not exist.
By the avoidance measures, the security issue can be tentatively avoided, but we strongly recommend the OS upgrade or PC replacement.
30th April, 2014 Chief of Information Processing Office: Kitani.
Fixed, 1st May 2014.
Fixed, 2nd May 2014.