Sunnyvale, California, March 9, 2010
Today Microsoft released a security advisory (981374) detailing a new, unpatched vulnerability in Internet Explorer (IE), which is currently being used in targeted attacks. While Microsoft has recommended workarounds for this issue, a patch is not yet available and a date has not been set for the release of a patch. Working with Microsoft, through the Microsoft Active Protections Program (MAPP), Zscaler has been provided with confidential data related to this vulnerability, which has been leveraged to deploy protections.
The vulnerability is caused by an invalid pointer reference and impacts IE 6 & 7, while IE 8 is not believed to be vulnerable. All Microsoft recommended workarounds require that client side settings be adjusted and while they make exploitation more complex, do not eliminate the vulnerability. Zscaler was able to deploy protections for this issue throughout its global cloud infrastructure within an hour of receiving notification from Microsoft.
“In our Q4 2009 – State of the Web Report, we detailed that 70% of corporate users on the web are still using Internet Explorer 6 or 7, all of which are now vulnerable to attack”, according to Michael Sutton, VP, Security Research at Zscaler. “While adoption on Internet Explorer 8 has been relatively brisk among consumers, enterprises have been far slower to adopt new browser technology. Vulnerabilities such as the one disclosed today illustrate why supported software is not secure software. Enterprises should revisit their decision to delay the deployment of Internet Explorer 8.”
Zscaler customers are currently protected from this vulnerability (CVE-2010-0806) without the need to make any policy changes. Zscaler will continue to monitor for active exploitation of this issue and will release further reports as the situation warrants.
Zscaler is revolutionizing Internet security with the industry’s first Security as a Service platform. As the most innovative firm in the $35 billion security market, Zscaler is used by more than 5,000 leading organizations, including 50 of the Fortune 500. Zscaler ensures that more than 15 million users worldwide are protected against cyber attacks and data breaches while staying fully compliant with corporate and regulatory policies.
Zscaler is a Gartner Magic Quadrant leader for Secure Web Gateways and delivers a safe and productive Internet experience for every user, from any device and from any location — 100% in the cloud. With its multi-tenant, distributed cloud security platform, Zscaler effectively moves security into the internet backbone, operating in more than 100 data centers around the world and enabling organizations to fully leverage the promise of cloud and mobile computing with unparalleled and uncompromising protection and performance. Zscaler delivers unified, carrier-grade internet security, next generation firewall, web security, sandboxing/advanced persistent threat (APT) protection, data loss prevention, SSL inspection, traffic shaping, policy management and threat intelligence—all without the need for on-premise hardware, appliances or software. To learn more, visit us at www.zscaler.com.
- Zscaler Security Research
- Zscaler Security as a Service
- Award-winning Web Security
- World’s First Next Generation Cloud Firewall
- Sandboxing and Behavioral Analysis
Director of Communications