Microsoft Patches Three-Year-Old IE Bug

By

Criminals were already exploiting the vulnerability

Microsoft has pushed September security updates that patch more than 94 security holes in its Internet Explorer browser. The updates also patch a nasty three-year-old critical vulnerability [CVE-2016-3351] that was being exploited by cyber criminals.

This bug was first reported in 2015, but Microsoft didn’t patch it. It was reported again this year by two security firms, Proofpoint and TrendMicro, providing Microsoft with evidence that the bug is being used by criminals. This time Microsoft took it seriously.

Proofpoint wrote in a blog post that, “During our work with Trend Micro on the AdGholas campaign, we reported it again and it was assigned a CVE ID and patch.”

Proofpoint explained that this vulnerability is a “MIME type check used to filter out systems that have certain shell extension associations, including .py , .pcap , and .saz . In some cases, certain extension associations, including .doc , .mkv ., .torrent , and .skype are required to trigger the next exploitation step.”

Proofpoint further wrote that this vulnerability shows that “software vendors need to maintain comprehensive patching regimens, organizations and users must rethink patching prioritizations, and researchers need to look for new avenues to detect malicious activity.”

According to Proofpoint, there is a growing trend among criminals to exploit non-critical bugs, knowing that companies won’t prioritize them and that they may remain exposed for a very long time.

09/14/2016
comments powered by Disqus