Microsoft Patches Three-Year-Old IE Bug


Criminals were already exploiting the vulnerability

Microsoft has pushed September security updates that patch more than 94 security holes in its Internet Explorer browser. The updates also patch a nasty three-year-old critical vulnerability [CVE-2016-3351] that was being exploited by cyber criminals.

This bug was first reported in 2015, but Microsoft didn’t patch it. It was reported again this year by two security firms, Proofpoint and TrendMicro, providing Microsoft with evidence that the bug is being used by criminals. This time Microsoft took it seriously.

Proofpoint wrote in a blog post that, “During our work with Trend Micro on the AdGholas campaign, we reported it again and it was assigned a CVE ID and patch.”

Proofpoint explained that this vulnerability is a “MIME type check used to filter out systems that have certain shell extension associations, including .py , .pcap , and .saz . In some cases, certain extension associations, including .doc , .mkv ., .torrent , and .skype are required to trigger the next exploitation step.”

Proofpoint further wrote that this vulnerability shows that “software vendors need to maintain comprehensive patching regimens, organizations and users must rethink patching prioritizations, and researchers need to look for new avenues to detect malicious activity.”

According to Proofpoint, there is a growing trend among criminals to exploit non-critical bugs, knowing that companies won’t prioritize them and that they may remain exposed for a very long time.

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=