Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[KillerWatt]

IE6 and 7 are vulnerable .. IE8 is supposed to be safe ..

http://uk.news.yahoo.com/22/20100121/tts-uk-microsoft-ca02f96_2.html

Dont like that phrase.

It's MS .. it'll never be "properly" safe .....   

No operating system or application will ever be "safe", and MS products are no better or worse than the competion where security is concerned.

In fact, back when XP was first released, it had LESS security holes "straight out of the box" than Apple's then current offering did.

[wakeyomega]

Only one upgrade from windows this morning, a security upgrade for IE8. Does anyone know if this is a patch for the recently hyped vulnerability?

Yes. Also includes a few fixes that were due for normal monthly cycle, but included in this out of band update

Well that explains everything, I bet all the problems only appear to happen over a 7 day period, If you search google through IE during this time it responds by saying "you don't really appreciate me", snaps at you when you click on it, and bursts in to tears if you as much as minimise it.

[Entwood]

Some further info for those who might be interested ....

Computerworld - Microsoft issued a security advisory today that warned users of a critical and unpatched vulnerability in Internet Explorer (IE), and acknowledged that it had been used to hack several companies' networks.

"We have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks," said Mike Reavey, director of Microsoft's Security Response Center (MSRC), in a post to the group's blog.

Earlier today, antivirus company McAfee said the IE bug had been exploited by hackers who had attacked computer networks of nearly three dozen major companies between mid-December 2009 and Jan. 4, 2010. McAfee said then that Microsoft would soon release this advisory.

The security advisory said that the only version of IE not containing the critical flaw was IE 5.01 running on Windows 2000. All other versions, including IE6, IE7 and IE8 on Windows 2000, XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2 are vulnerable to attack.

Even so, Reavey downplayed the threat to average Windows users. "Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE6 at this time," he said.

"An IE zero-day in all versions," said Andrew Storms, director of security operations at nCircle Network Security, "so by no means is this good for Microsoft. The only encouraging news is that there are tools that protect Vista and Windows 7 on IE7 and newer, so that an exploit would crash [those browsers] rather than allow code execution." Storms was referring to security provisions within IE, including DEP (data execution prevention) and Protected Mode, on newer versions of Windows.

Microsoft's Reavey hammered that home as well. "Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user's machine," Reavey said. "Customers should also enable Data Execution Prevention, which helps mitigate online attacks."

Although DEP is on by default in IE8, it must be manually switched on in IE6 and IE7. Users can enable DEP by using the "Fix it" tool Microsoft has posted on its support site.

As McAfee noted earlier today, an IE user's PC could be hijacked simply by steering the browser to a malicious site, or to a compromised legitimate site that hosted attack code.

Microsoft said users could also protect themselves to some degree by setting the PC's Internet zone's security to the "High" option, but warned that it wasn't surefire. "It is important to note that the vulnerable code may be reached even with these protections in place," the company said in the advisory. "However, any attacks would be less successful with these workarounds in place."

The company did not set a timetable for producing a patch, but Storms was certain that Microsoft would scramble to get something out as soon as possible. "For sure they'll do an out-of-band update," said Storms, using the term for a security fix that's released outside Microsoft's monthly patch schedule. "The public relations aspects are going to drive this."

Storms was talking about the criticism that Microsoft is sure to harvest as the vendor whose software let hackers break into dozens of major Western companies.

Microsoft last issued an out-of-band update in late July 2009, when, ironically, it patched IE just hours before several researchers demonstrated the vulnerability at a security conference.

The attacks first came to light Tuesday, when Google announced that Chinese attackers had made off with intellectual property from its corporate network, and also tried to access the Gmail accounts of Chinese human rights activists.

Google said the attacks, along with increasing censorship of the Web by China's government, had prompted a reevaluation of it business in the country. The same day, Adobe acknowledged that its machines had also been hacked.

Microsoft tacitly acknowledged that the IE attack had been used by the Chinese hackers to break into the Google and Adobe networks by crediting the two companies with reporting the browser bug.

Early reports, including one by Computerworld, pointed toward a zero-day vulnerability in Adobe's Reader as the bug that hackers exploited.

McAfee today scotched such talk, saying that although it did not investigate every attack, it had worked with several targeted corporations and found evidence of only one vulnerability: the IE zero-day.

The next regularly-scheduled Microsoft Patch Tuesday is Feb. 9.

[STMO999]

Thanks for that

[TheBoy]

Only one upgrade from windows this morning, a security upgrade for IE8. Does anyone know if this is a patch for the recently hyped vulnerability?

Yes. Also includes a few fixes that were due for normal monthly cycle, but included in this out of band update

Someone on the radio was saying that the "newly discovered vulnerability" was in IE6, not IE8.  It was only a problem because many corporate users hadn't upgraded.

Don't know who said this or what authority it has.  Anyone know if it's true?

All supported versions are vulnerable, from IE5 up.  You obviously only saw IE8 one, as thats the one you use.  OOB update was put up a couple of days ago, so those with Windows update enabled should have by now. Every home user should have automatic updates enabled, if not, they should not be allowed to walk this planet.


Contary to popular belief, IE8 is vulnerable.  Some of the defaults, depending on OS, are less vulnerable to the publically disclosed method of attack.  Additionally, remember, this update is not just for the hyped media frenzy hole that the dumbed down bbc have been overdramtising (guess everyone is bored with earthquakes).

[TheBoy]

IE6 and 7 are vulnerable .. IE8 is supposed to be safe ..

http://uk.news.yahoo.com/22/20100121/tts-uk-microsoft-ca02f96_2.html

Dont like that phrase.

It's MS .. it'll never be "properly" safe .....   

No operating system or application will ever be "safe", and MS products are no better or worse than the competion where security is concerned.

In fact, back when XP was first released, it had LESS security holes "straight out of the box" than Apple's then current offering did.

Correct. And XP SP2, Vista and later all have better mechanisms built into the OS itself that can protect the system against many (not all though) application vulnerabilities.

People claim Linux/Firefox/xyz is more secure. They aren't.  Windows main security issues come from users running as Admin. UAC (if left enabled, some people with egos larger than their ability think they are somehow able to be secure without it) helps enormously.  As Linux got popular, many incredible stupid idiots, again with egos far exceeding their abilities, like to run as root or root equivilent.  As Linux doesn't have the same security controls as Windows, this really is suicide.  And a compromised linux server with a 10Gb link into the UK internet backbone can cause a an awful lot of damage, and a whole mountain of paperwork. Idiots.

[KillerWatt]

People claim Linux/Firefox/xyz is more secure. They aren't.  Windows main security issues come from users running as Admin. UAC (if left enabled, some people with egos larger than their ability think they are somehow able to be secure without it) helps enormously.  As Linux got popular, many incredible stupid idiots, again with egos far exceeding their abilities, like to run as root or root equivilent.  As Linux doesn't have the same security controls as Windows, this really is suicide.  And a compromised linux server with a 10Gb link into the UK internet backbone can cause a an awful lot of damage, and a whole mountain of paperwork. Idiots.

Nail on the head, but don't let the truth get in the way of making MS a whipping boy for something that is down to the stupidity of the end user 

[Entwood]

Been sent this from a site I use...  the troubles continue ..

Internet Explorer 'hit with new set of security flaws'
By Emma Barnett, Technology and Digital Media Correspondent
Published: 6:14PM GMT 25 Jan 2010

A US security research firm has found another set of vulnerabilities within Internet Exlporer, only a day after Microsoft released an emergency software update.

Microsoft had to release an unscheduled security update last week to protect IE users and could face having to do so again.

Boston-based Core Security Technologies discovered the vulnerabilities on Friday January 22, only a day after the technology giant had released an unscheduled security patch to protect users of the most popular browser in the world from the flaws used by the hackers who pried into the email accounts of human rights activists in China.

Two weeks ago Microsoft admitted that its Internet Explorer browser was the weak link in a spate of recent cyber attacks on Google and other technology companies in China.

Core Security Technologies claim to have discovered another set of vulnerabilities in Internet Explorer which hackers could exploit and use to remotely access personal data on people’s computers.

Microsoft is taking the claim seriously and has launched an enquiry.

A spokesman said: “Microsoft is investigating a responsibly disclosed vulnerability in Internet Explorer. We’re currently unaware of any attacks trying to use the vulnerability or of customer impact, and believe customers are at reduced risk due to responsible disclosure. Once we’re done investigating, we will take appropriate action to help protect customers.”

However, the tech giant would not rule out having to release yet another unscheduled security update on top of the regular monthly release, once its investigation was over.

The spokesman added: “Customers should also upgrade to the latest version of Internet Explorer, Internet Explorer 8, which provides improved security and privacy protections, as well as sign up for Microsoft Update and enable the Automatic Update functionality. This will enable automatic installation of all applicable updates this month and help to make customer systems more secure.”

Jorge Luis Alvarez Medina, a security consultant from Core Security Technologies, told Reuters that there are three or four ways for hackers to exploit this new set of vulnerabilities, but he did not know whether any such attacks had happened. He plans to demonstrate the vulnerability at the Black Hat security conference in Washington, which commences on February 2.

Microsoft’s unscheduled security release last week was preceded by both the German and French governments issuing official warnings for all IE users to change their browser so as not to be exposed to the security flaws detected in all versions of IE. The British Government did not issue a similar warning.

Rival browser makers, including Firefox and Opera, are said to be benefiting from the fallout, with downloads of Firefox spiking in Germany immediately after the government issued its advice, and more than twice as many people as usual downloaded Opera last week.

25 January 2010