Thursday, February 04, 2010

IEに新たな脆弱性が

Beyond Binary:Microsoft investigates new Internet Explorer flaw
by Ina Fried

Microsoftは水曜にIEにの新たな脆弱性を調査していると発表した.
この脆弱性は,ユーザの情報が不正な権限で漏れる恐れがある.
古いOSでIEを動かしている場合だ.
Microsoftは委員会で発表したことによると,
この脆弱性を使った攻撃はまだ報告されていないが,
Webベースの攻撃を受ける可能性がある.
脆弱性を狙ったサイトや,ユーザが入力した情報から誘導したり,悪意ある広告からの場合がある.
どちらにせよ,ユーザは特定のサイトに誘導されてしまう.

Microsoft said on Wednesday that it is investigating another flaw in Internet Explorer, this time a vulnerability that could result in an unauthorized disclosure of information for users running its browser on older operating systems.
The software maker said in a security advisory that, although it knows of no attacks based on the flaw, the vulnerability could lead to a Web-based attack from either a Web site designed to take advantage of the flaw or from a site that becomes compromised via user-generated text or a malicious ad. Either way, a user would have to actively go to the compromised Web site.

この脆弱性はGoogleなどの企業を狙ったものとは異なり,
Microsoftは先月緊急のセキュリティパッチをアップデートしている.
この最新の脆弱性はWindows XPとIEの組み合わせで発生する.
MicrosoftはIEをWindows Vistaか7で動かした場合,脆弱性はないと示唆した.
IEは通常「プロテクトモード」で動作するからだ.

The flaw is separate from the one used to attack Google and other companies, which Microsoft addressed with an "out-of-band" security update last month.
The latest flaw could affect those running Windows XP and Internet Explorer on Windows XP. The software maker said those running the browser on a machine running Windows Vista or Windows 7 aren't vulnerable because the browser runs in a "protected mode" by default.

McAfeeのスポークスマン,Joris Eversが言うには,
この最新の問題は攻撃者にシステムの全コントロールを許すものではない.
しかし「深刻な脆弱性で,個人情報やシステム情報が攻撃によって流出してしまう可能性がある」

McAfee spokesman Joris Evers said that, although the latest issue doesn't allow the attacker to gain full control of a system, it nonetheless represents "a serious vulnerability that can expose personal information or system information that may be used in a follow up attack."

「IEユーザはこの脆弱性の危険を認識し,Microsoftがリリースしたパッチを適応するべきだ」

"Internet Explorer users should ensure they are protected against exploitation of this flaw and apply the patch when Microsoft releases it," Evers said.

Microsoftはこの調査が終わり次第,なんらかの動きをするだろう.
例えば月例アップデートや緊急のアップデートなどだ.
それまでには,MicrosoftはIE6をプロテクトモードに変えるパッチも提供するかもしれない.

Microsoft said it may take additional action when it finishes its inquiry, such as releasing an update as part of its monthly "Patch Tuesday" or as part of a special, out-of-band update. In the mean time, the software maker offered an automated "Fix It" that can turn on the protected mode for those running IE 6.

No comments: