Posts Tagged ‘Internet Explorer’

Adobe released an emergency update today for its Flash Player to guard against a zero-day exploit, which could allow attackers to gain remote access to an affected machine. The security flaw has been elevated to “critical” status, which is Adobe’s highest threat level. Ars Technica reports the exploit can be triggered by “underlying code that could be exploited to execute arbitrary code” if a person navigates to a malicious site hosting an attack.

Windows and Mac users are affected by this zero-day exploit if running Adobe FLash Player 12.0.0.43 and earlier versions. Linux users are also affected if running 11.2.202.335 or earlier versions of Flash Player. Users running Google Chrome or Internet Explorer 10/11 will automatically be updated to the latest Adobe Flash Player version, 12.0.0.44, which will be bundled with the browser. Other users are advised to install the update as soon as possible.

Source: Adobe , softonic

Advertisements

The discovery was announced just a few days after Microsoft revealed the Microsoft Zero-day CVE-2013-3906, a Zero-day vulnerability in Microsoft graphics component that is actively exploited in targeted attacks using crafted Word documents sent by email.

Microsoft graphics component zero-day vulnerability allows attackers to install amalware via infected Word documents and target Microsoft Office users running on Windows Vista and Windows Server 2008.

Recently reported new Internet Explorer zero-day vulnerability detected by FireEye affects the English versions of IE 7 and 8 in Windows XP and IE 8 on Windows 7, but according the experts it can be easily changed to leverage other languages.

FireEye confirmed that the exploit recently detected leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution, that attackers use the timestamp from the PE headers ofmsvcrt.dll to select the proper exploit.

“The information leak uses a very interesting vulnerability to retrieve the timestamp from the PE headers of msvcrt.dll. The timestamp is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of msvcrt.dll.” explained the researcher Xiaobo Chen and Dan Caselden in the post published by FireEye.

The analysis conducted by the research team at FireEye revealed this IE zero-day affects IE 7, 8, 9 and 10, and as happened for the Microsoft Zero-day CVE-2013-3906 , it can be mitigated by EMET per Microsoft’s feedback.

Very interesting the shellcode, the exploit implements a multi-stage shellcode payload that upon successful exploitation, it will launch rundll32.exe (with CreateProcess), and inject and execute its second stage (with OpenProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread). The second stage downloads an executable and run it from disk.

Source : securityaffairs.co

It’s that time of the month again, with Microsoft Patch Tuesday just 24 hours away.

In point form, August 2013 brings you:

  • Eight bulletins
  • Three critical due to potential remote code execution
  • Critical #1: All Internet Explorer versions from 6 to 10
  • Critical #2: Exchange Server versions 2007, 2010 and 2013
  • Critical #3: Windows itself, but only XP and Server 2003
  • Patches for Server Core, but none critical
  • Reboot required

It’s hard to say just how severe (or how widely exploited, if at all) any of the critical vulnerabilities are, since Microsoft plays its cards close to its chest until the patches actually ship.

And even though some of the bulletins are listed with a Restart Requirement of “maybe,” you should assume you’ll be rebooting every Windows box within your remit.

That’s because all your systems will either have Internet Explorer on them, or be Server Core installs.

Both of those require a reboot.

As usual, SophosLabs will be publishing its own vulnerability assessments once Microsoft has officially issued its updates. (Redmond always gets to go first. Understandably, that’s the way it is.)

Although Naked Security generally recommends getting a move on with patching, lest you get sucked into a Change Control Resistance Vortex, SophosLabs gives you a Threat Level assessment for each patch.

All other things being equal, if you have to delay one or more of the eight Bulletins, the Threat Level helps you choose by assessing the likelihood that each security hole will be actively exploited.

Source : NakedSecurity.sophos.com

Microsoft has released an advance notification of 9 security bulletins that it plans to release on April 9, 2013. Microsoft said it will patch nine vulnerabilities in total and two of them rated critical and that of the remaining 7 as Important.

The critical vulnerabilities are remote code execution issues. First vulnerability affects Microsoft Windows and Internet Explorer while the second vulnerability affects Microsoft Windows.

The vulnerability will fix a flaw that allows a drive-by attack, which hackers can exploit to attack machines running the software using malware loaded websites. Earlier this year, Microsoft released an emergency update for Internet Explorer after all the commotion about the security holes in Java. The update aimed to patch a security vulnerability in Internet Explorer that is being used for attacks on government contractors and other organisations.
The remaining 7 vulnerabilities pertain to issues affecting Microsoft Office, Microsoft Server Software and Microsoft Windows. Microsoft will host a webcast to address customer questions on the security bulletins on April 10, 2013, at 11:00 AM Pacific Time (US & Canada).

Microsoft is expected to issue seven bulletins affecting all versions of its Windows operating system (OS), some Office components and also Mac OS X, through Silverlight and Office and 4 out of 7 are critical patches.

  • Critical : The first bulletin will address a remote code execution vulnerability affecting Windows and Internet Explorer.
  • Critical : The second bulletin addresses a remote code execution vulnerability affecting Microsoft Silverlight.
  • Critical : The third bulletin addresses a remote code execution vulnerability affecting Office.
  • The fourth security bulletin addresses a critical elevation of privilege vulnerability affecting both the Office and Server suites.
  • Important : The fifth and sixth security bulletins address an information disclosure vulnerability affecting Microsoft Office
  • The last bulletin again addresses an elevation of privilege vulnerability affecting Windows.
Microsoft and other software vendors likely to release further patch updates soon, following the  PWN2OWN competition that concluded earlier this month, which saw security researchers break the security of a number of applications. In fact over the last three months, there has been an IE update every month.
If you have Windows Update set to automatic, critical patches will be installed automatically while important patches must be installed manually.

This week, the ad industry blasted Microsoft’s use of a privacy feature called “Do Not Track” in Internet Explorer 10, threatening to override it entirely to barrage your browser with targeted ads. But you know what? It doesn’t matter. A little-known privacy feature in Internet Explorer means that Microsoft, and Web users, have already won this battle.

Ryan Gavin, Microsoft’s senior director of Internet Explorer, reminded ReadWriteWeb that both IE9 and IE10 contain a privacy feature called “Tracking Protection,” which prevents user information from being passed to a website. While Do Not Track is a more gentlemanly request for anonymity, Tracking Protection simply shuts your browser’s mouth, as it were, and refuses to say almost anything.

Microsoft has said previously that IE10, which will make its first appearance in Windows 8, will ship with Do Not Track on by default – in other words, your browsing activity won’t be tracked by advertisers right out of the box. That has left advertisers fuming, since user information is exactly what the advertiser needs to provide high-value, targeted ads. Those targeted ads typically cost more, generate higher revenue and provide a more useful advertising experience than a generic ad designed for the Internet at large, advertisers say.

On Monday, the Association of National Advertisers sent Microsoft chief executive Steve Ballmera letter claiming that  the ANA believes “that if Microsoft moves forward with this default setting, it will undercut the effectiveness of our members’ advertising and, as a result, drastically damage the online experience by reducing the Internet content and offerings that such advertising supports”.

In other words, according to the ANA’s executive vice president of government relations, Dan Jaffe, less ad revenue means the Web’s “free,” ad-subsidized services may go away, replaced by paid subscriptions or other methods. “And if you get less revenue for websites, it threatens to have less information that’s available to consumers for free,” Jaffe said in an interview. “And [site operators] start to put up paywalls, and some of these paywalls as you read in the press have not always turned out well for consumers.”

The ANA has its own voluntary advertising opt-out service at Aboutads.info, which automatically scans your machine for cookies and other trackers, then gives you the option to opt out. Still, that works only for a given browser and computer (since opting out is stored in a cookie) and only for the “participating” companies. The ANA advises that you periodically revisit the site and opt out again and again.

What Is Do Not Track?

The Do Not Track movement surfaced in 2007, when the FTC was petitioned to create a list of websites that would not be permitted to collect information from a user’s Web browser, somewhat similar to the “Do Not Call” list used by home phones. Mozilla developers added a custom plug-in to the browser than enabled DNT about a year later. Then, in 2009, Firefoxbegan implementing it, even on mobile devices. Google’s Chrome will add DNT support by the end of the year, a company spokesman confirmed, and IE, of course, will enable it in IE10. Opera already includes DNT support.

DNT is an HTTP header that “asks” Web sites to not collect user data. But compliance is voluntary, and far from widespread. So far, only 1 of 211 top Web sites surveyed adheres to DNT principles.

Microsoft’s perspective is that customers should get what they pay for, and that includes privacy. “Competing on privacy is a good thing,” Gavin said. “Consumers win when you have a point of view, as we do, that someone paid us money for Windows. Part of that is Internet Explorer, and – it’s called Windows Internet Explorer, incidentally – and giving them choice and control over privacy is a good thing, and we have incentive to support and respect our paying customers.”

Microsoft’s moves haven’t been well-received by some. Apache, which powers a substantial number of the world’s Web servers, has already said that it won’t honor IE10 Do Not Track requests, precisely because turning it on violates consumer choice, in Apache’s view. Or, as Jaffe puts it: “What Microsoft is doing is claiming it’s preserving consumer choice, but what it’s doing is imposing its choice on consumers.”

Tracking Protection

To enable Tracking Protection in IE9, go to the Settings>Safety>Tracking Protection menu, then enable your personalized list via the “enable” button in the bottom right-hand corner. You can also set up the list by telling IE how many times you wish an ad to be displayed before it gets axed. (CNET has a video tutorial if you want more.)

That enables what Microsoft’s rivals call a “draconian” measure, blocking the website or tracker from getting any information about you. But Microsoft’s response is that if the sites themselves aren’t honoring DNT requests, then it has a right to enforce the consumer’s will.

“Our job is to really just to say we’re going to keep consumers safe and protected online,” Gavin said. “Do Not Track doesn’t actually do much, unless… someone’s honoring that signal. I don’t have a crystal ball for when that may or may not happen, and when there would be conformance or not.

“But we have a thing called Tracking Protection in IE10. Tracking protection is something we enabled with IE9, and instead of, where DNT sends a signal to a website saying, ‘Mark does not wish to be tracked,’ Tracking Protection actually stops tracking from happening at the browser,” Gavin added. “We can actually go through and subscribe to what’s called the TPL or Tracking Protection List, that can be curated by any number of groups, or individuals – you can even have one that’s built dynamically, based on sites you’re going to, and we actually don’t send signals. So when you’re in that list, we say, ‘Ah! So-and-so’s ad network is looking to add a single pixel tracker,’ so we can actually stop that. We can stop the tracking from happening.”

You won’t find Tracking Protection, or its equivalent, in any of the other browsers. But ad-blocking plugins exist for Firefox and Chome, which simply prevent the ads from being shown in the first place. The ANA’s right in that blocking ads prevents websites – including this one – from displaying the ads that generating the revenue needed to keep the site up and running. On the other hand, if it’s true that major websites are ignoring consumer requests to prevent tracking them, it’s hard to argue with Microsoft’s logic.

Source : http://www.readwriteweb.com article by 

The Microsoft security update for June addresses 27 security flaws in several products; 13 of the vulnerabilities affect Internet Explorer (IE). A cumulative update for IE addresses flaws that were found as part of the Pwn2Own competition. Another of the updates fixes denial-of-service and remote code execution vulnerabilities in the Remote Desktop features on all currently supported versions of Windows.