Microsoft is warning of a zero-day exploit and other Microsoft news

On Tuesday, the company posted a security advisory stating Microsoft is investigating public reports of a vulnerability targeting Internet Explorer 8 and 9. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet ZERO-DAY ATTACKS: Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

All supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone,” but “if a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

With cyber crime hitting more than 500 million victims globally and costing $100 billion annually, it’s clear that security breaches are a problem very far from being solved.

Zero-days are just one part of the overall threat landscape, however virtually everyone is at risk from a zero-day attack. And the threat from zero-day vulnerabilities occurs long before vendor or public discovery, and remains active long after patches are released.

A zero-day vulnerability is a vulnerability that has only been discovered by hackers. The vendor does not yet know of the vulnerability and therefore has not developed a patch for it. In contrast, a general vulnerability is disclosed by the vendor who typically has a patch ready.

Other Microsoft news:

Last week, four of the 13 Microsoft-issued updates were yanked for causing nasty retargeting loop headaches for some customers. After installing the updates, some users were notified to install updates again, and then again, in a vicious circle, as if they had not previously installed them. Microsoft said there were also cases “where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM).” The company fixed the flawed patches and released new updates.

In the Microsoft good news category, Windows Phone 8 was given the FIPS 140-2 security thumbs up by the government. “FIPS 140-2 is a U.S. government security standard used to accredit the cryptographic algorithms that protect sensitive data inside products like smartphones. In all, Windows Phone 8 received accreditation for nine cryptographic certificates. If things go according to Microsoft’s plans, then Windows Phones will have a new virtual assistant in 2014. The Microsoft-flavored Siri is code-named “Cortana,” after “an artificially intelligent character in Microsoft’s Halo series who can learn and adapt.

Microsoft announced that Bing is moving on to “the next phase,” which is more than a new logo and user interface. “Bing is now an important service layer for Microsoft, and we wanted to create a new brand identity to reflect Bing’s company-wide role. The new look integrates the ‘One Microsoft’ vision both from a product perspective and visually.” This seems to squash rumors that Microsoft might kick Bing to the curb. You can preview the modern Bing here – http://www.bing.com/explore/newbing

 

How to Disable Java in Three Common Browsers

The ongoing security problems with Java mean that many people will want to disable the

Java plug-in for their web browsers. Here is how to do it for the most common browsers.

Google Chrome

  1. In the Chrome address bar enter: chrome://plugins
  2. Find the entry for the Java plug-in and click “Disable”

Firefox

  1. Open the Firefox menu
  2. Click “Add-ons”
  3. On the left side of the Add-ons manager that opens, select “ Plugins”
  4. Click “Disable” by the entry for Java   Firefox may have already done the disabling automatically

Internet Explorer

Disabling Java in the various versions of Internet Explorer (IE) is more complicated than it seems at first. You can use the IE Add-ons manager to disable  “Java(tm) Plug-in 2 SSV Helper” and “Sun Microsystems -Deployment Toolkit ” but that isn’t sufficient. There are apparently multiple ways that Java can be invoked from IE. It is sufficiently complicated that Microsoft has a special article on how to disable the Java plug-in for Internet Explorer. It isn’t pretty. The article involves Registry editing and its gory details are at this link – http://support.microsoft.com/kb/2751647. You can also check out this Homelands Security bulletin about IE – http://www.kb.cert.org/vuls/id/636312#disable_java_in_IE

Microsoft confirms hackers exploiting critical IE bug

Microsoft issued a security advisory that confirmed in-the-wild attacks are exploiting an unpatched bug in Internet Explorer. The software maker is working on a fix.

The advisory addressed the “zero-day” vulnerability — meaning it was discovered and exploited before a patch was available.

All but one supported edition of IE are affected: 2001’s IE6, 2006’s IE7, 2009’s IE8 and last year’s IE9. Together, those browsers accounted for 53% of all browsers used worldwide in August. The only exception was IE10, the browser bundled with the new Windows 8, which does not contain the bug.

The bug exploits the flaw allows hackers to execute code — in other words, plant malware on a machine — and opens Windows XP, Vista and Windows 7 to drive-by attacks that only require getting victims to visit a malicious or compromised website.   Until a patch is available, Microsoft recommended that users block attacks with EMET 3.0 (Exploit Mitigation Experience Toolkit), boosting IE’s security zone settings to “high,” and configuring the browser to display a warning before executing scripts.

We recommend, at a minimum, the last two steps – boost the security zone to high and having the browser prompt for scripts. The patch is expected this week.

Microsoft Finally Says Goodbye to IE 6 in the U.S.

The company has for years literally begged consumers to update older versions of Internet Explorer, warning that it would reduce the (high) risk of acquiring viruses and other malicious malware. The company even just recently introduced a feature in Windows Update that will automatically update Internet Explorer, seemingly pushing users into staying current rather than ignoring browser revisions and risking infection.

But now the company employees are seemingly dancing in the streets, as the official U.S.-based Internet Explorer 6 numbers have rolled in, and they report well below 1-percent. Worldwide, the number still hovers just below 8-percent as of December 2011, with China serving as the biggest IE6 offender followed by South Korea and Japan. Norway has the least number of IE6 users followed by Finland and the United States.

For the record, Internet Explorer 9.0.8112.16421 is the latest official release from Microsoft as of this writing.

Making Internet Explorer 9 Better – Improve your Brower Security

The Internet Explorer (IE) series of browsers has always made use of a proprietary Microsoft technology called “ActiveX”. ActiveX is involved in things like displaying PDF files and Flash based videos. Although ActiveX is not supported by any other browser, Microsoft has continued its use in Internet Explorer 9.

Unfortunately, security holes in ActiveX have been a recurring problem and over the years they have been a major route for malware infections.  Although it has been possible to disable ActiveX in IE in previous versions, it is a rather complex procedure based on Internet zones and lacks selectivity. For IE9, Microsoft has added a new feature called “ActiveX filtering” that provides much finer grained configuration. With this feature, you can go on the Internet with ActiveX disabled. You can then enable it for any sites that require it and that you consider safe. It is now much easier to select specific sites.

ActiveX Filtering is off by default, meaning that ActiveX controls will natively work within Internet Explorer 9 just as they did in previous versions of the browser. To enable ActiveX Filtering, click Tools, Safety, and then ActiveX Filtering. No window will pop-up, but by making this selection you have enabled the feature. To see that this is so, open Tools, Safety again and verify that the ActiveX Filtering choice is now checked.

Of course, disabling ActiveX will cause some sites to stop working properly, notably Flash-driven sites like YouTube. When this happens, you will see a small blue circle with a line through it in the IE 9 One Box (address bar), and if you mouse over this control, it will report that “Some content is filtered on this site” in a tooltip.

Contrary to the message, if you click the Turn off ActiveX Filtering button, IE 9 will not turn off ActiveX Filtering. It will instead turn off ActiveX Filtering for that site only. This is an important distinction, obviously, and it gives you a site-by-site way to re-enable ActiveX controls.

At this point, IE 9 will display a normal notification (at the bottom of the browser window) asking you if you’d like to enable the control. Choose Allow to do so.

Enabling ActiveX controls on a site-by-site basis is probably the safe choice. You know, for example, that YouTube and MSN are most likely “safe” in that they’re not actively trying to hijack your system. But some people may prefer to enable ActiveX Filtering but then want to re-enable certain controls (like Flash) across all sites. There are a couple of ways to do this, but the simplest may be to open the Manage Add-ons interface (Tools, Manage Add-ons), and then navigate to Toolbars and Extensions and then the ActiveX control in question. Then, right-click the control and choose “More Information.”

In this window, there is a button called Allow on all sites. If you click this, ActiveX Filtering will remain enabled, but that control will work on every single site you visit.

This interface will also provide a way to see which sites you’ve OK’d for particular controls, when ActiveX Filtering is enabled. And if you’ve enabled the control on a site inadvertently, or would otherwise like to disable it on a site by site basis, you can do so from here.

While I understand the value of ActiveX, even given the ongoing evolution of the web, I still feel that disabling ActiveX controls across the board and then re-enabling them on a site by site basis is advisable. Yes, it’s a bit ponderous, but it’s also more secure. For this reason, I applaud Microsoft for adding ActiveX Filtering to IE 9, and recommend that all readers enable this feature as soon as possible.

Browser Updates – Firefox 4 and IE 9

Last week Microsoft proudly proclaimed that its Internet Explorer 9 web browser had been downloaded over 2.3 million times within 24 hours, however by this morning Mozilla’s Firefox 4 download counter had passed the 4 million mark.

Mozilla’s Firefox 4 is the first major release of the popular open source web browser in two years and, just like Microsoft’s Internet Explorer9m it brings significant performance improvements along with user interface changes.

I’ve tried both browsers and I must say, both are a great improvement over previous versions. But don’t take my word for it, download and try them.

Mozilla’s Firefox 4 is available for all the major operating systems including Windows, Mac OS X and Linux, whereas Microsoft’s Internet Explorer 9 only works on Windows Vista and Windows 7.

http://www.mozilla.com
http://www.beautyoftheweb.com

-Chris

Microsoft releases Internet Explorer 9

The latest release is only available for Windows 7 machines. In keeping with it plan to tie the browser to the operating system, Microsoft explains why their browser benefits from only working with windows:

“We want browsing the Web to be a great experience, so that people keep choosing Windows to do it,” said Hachamovitch, explaining why IE is important to Microsoft.

“Web sites are going to need to tap into the power of the underlying  same way that applications do,” said Hachamovitch. “The way they do that is through the browser, and the way the browser is going to do that is through the operating system. So the world just changed.”

Microsoft’s claim that IE9 is the best browser on Windows rests largely on its hardware acceleration, technology that taps the graphics processor, or GPU, to handle some of the most processing-extensive chores, including composing the page. Microsoft has regularly trumpeted IE9’s GPU-based acceleration, first highlighting that feature when it demonstrated the browser nearly a year-and-a-half ago.

Other browsers, i.e. the upcoming Firefox 4, also offer hardware acceleration on Windows, as well as a more limited form on Mac OS X.

Remember, this browser will not work with XP. Even though 61% of windows users are still using XP, the only way to offer the full benefits for IE9 and ties to the OS is to limit it to Windows 7 operating systems.Remeber Windows XP is 10 years old and although stable, many improvements have been made to Windows 7 (also stable) and IE9 takes advantages of them.

Here’s what you can expect –
A new streamlined look – some say resembles Google’s Chrome minimalist user interface – makes the browser fade into the background and putting the web content at the forefront.

A new pinning feature where users can pin a site tot he windows 7 taskbar just as you pin applications to a taskbar (again not just pinning IE9 but individual websites for launching that site with a single click. Web authors need to take advantage of the pinning feature as well as jump lists to make this work. Currently Microsoft reports over 1,000 sites have taken advantage of this with more to come.

Better response time and rich graphics – the redesign takes advantage of the OS integration to produce higher definition video, truer colors all while using about 10% of the processing power.

Better privacy protection – an added level of control and choices about the information 3rd party web sites can potentially use to track your browsing activity.

Both 32-bit and 64 bit version are available from Microsoft’s new website –http://www.beautyoftheweb.com/

Chris Bolcik