Following his discovery of 3 critical vulnerabilities in Microsoft Internet Explorer (IE) last month, Palo Alto Networks Researcher Bo Qu has identified another new vulnerability (CVE-2013-5052) in Internet Explorer, documented in Microsoft Security Bulletin MS13-97. This new critical vulnerability impacts IE version 7, potentially exposing a large population of users without the Microsoft patches or other protections released today.
Think of this vulnerability as a silent and effective method of delivering malware with a simple click on a link, or visit to a webpage. Gone are the days where users must click “Download” or “Accept” to install software, and when exploited, vulnerabilities like this can deliver attackers malware of choice to control system and infiltrate networks. The delivery methods usually center around “Drive-by” downloads or integration with sophisticated Web Attack Toolkits.
What can you do to protect yourself or your organization? Today, Palo Alto Networks released an IPS Vulnerability Protection update that ensures our customers are safe from the potentially thousands of exploits against this vulnerability, even without downloading the Microsoft patch. Palo Alto Networks has also released protections against 6 other critical vulnerabilities covered in the December 2013 Security Bulletin from Microsoft.
These vulnerabilities were disclosed to Microsoft as part of Palo Alto Network’s commitment to responsible disclosure guidelines. Furthermore, we participate in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnerabilities as well as allowing security vendors to create protections for new vulnerabilities to ensure that customers are protected as soon as the vulnerabilities are announced publicly.