Microsoft Security Bulletin MS11-003-Critical-kb2482017

Cumulative Security Update for Internet Explorer (2482017)

Version: 1.0

 

Read more

Older Versions of the Yahoo! Toolbar may cause Internet Explorer to stop responding or unexpectedly close

 

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft.

 

Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

 

SYMPTOMS

 

 

 

 

Internet Explorer users warned of new zero-day attacks

 

Microsoft has warned users of all supported versions of the Internet Explorer browser that an unpatched vulnerability exists in the product that is being actively exploited by malicious hackers in targeted attacks.

 

The zero-day vulnerability, described in aMicrosoft’s security advisory, allows cybercriminals to execute code on remote users’ computers without their permission.

 

In other words, simply clicking on a link in an email could take you to a webpage which would silently install malicious code (such as a backdoor Trojan horse) onto your computer. In short, you could be one click away from having a hacker access your computer or comandeer it into being part of a botnet.

 

Sophos is adding detection of the malicious webapges as Mal/20103962-A, and the Trojan horse that we have seen being downloaded as Troj/GIFDldr-A.

 

According to Microsoft’s advisory, Data Execution Prevention (DEP) – which is enabled by default in Internet Explorer 8 on Windows XP SP3, Windows Vista SP1, Windows Vista SP2, and Windows 7 – helps to protect against the attacks.

 

All eyes will now be on Microsoft to see how quickly they can issue a fix for this vulnerability – it would certainly be impressive if they managed to roll-out a patch in time for next Tuesday’s “Patch Tuesday”, but that may be a little optimistic.

 

By Graham Cluley @ nakedsecurity.sophos.com

 

Critical patches for Windows and Flash Player

If you’re a user of Windows or Flash (and I would imagine that covers the vast majority of you) then it’s time to roll out the latest critical security patches, as Microsoft and Adobe have released updates to their software.

 

First up is Microsoft, who have released a bumper bundle of fixes as part of their regular “Patch Tuesday” cycle, issuing 14 bulletins to remedy 34 security holes in Windows, Internet Explorer, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.

 

Eight of the bulletins have been Microsoft’s highest severity rating of “critical”, with the rest being labelled “important”.

 

The good news, as Chet Wisniewski explains, is that we haven’t yet seen any malware spreading by exploiting these vulnerabilities – but that may only be a matter of time.

 

Separately, Microsoft has also issued an advisory about a zero-day vulnerability, which could allow untrusted code to run on a user’s machine by exploiting a weakness in the Windows Service Isolation feature.

 

Meanwhile, another platform commonly targeted by malicious hackers has been updated to defend against security vulnerabilities.

 

Adobe has identified critical vulnerabilities in Adobe Flash Player version 10.1.53.64 and earlier, and urged users to update their installations of Flash and Adobe Air.

 

If you’re not sure which version of the Adobe Flash Player you have installed, visit the About Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.

 

Read More…

 

 

 

UK Government: We’re sticking with Internet Explorer 6

Gulp. At the end of last week, along with thousands of other Brits, I received an email from the UK Government telling me that they had responded to a petition I had signed urging the Prime Minister to encourage government departments to upgrade from Internet Explorer 6.

 

You can read the UK Government’s response here.

 

In a nutshell, Her Majesty’s Government says it is more cost-effective to stick with Internet Explorer 6 (which has been dogged with security issues) rather than switch to an alternative browser or a more up-to-date version.

 

Too expensive, huh?

 

You have to wonder if that’s going to be considered an acceptable excuse by the general public when there’s a serious security breach that exploits a creaky old browser that’s been around since 2001.

 

Where’s the wisdom in sticking with IE 6 when Microsoft itself has urged users to upgrade to a more secure version, many websites are dropping support for it, and security professionals advise that installations of Internet Explorer 6 should be taken outside and beaten with a heavy stick.

 

Read More…

 

 

Microsoft to release emergency Internet Explorer patch on Tuesday

Microsoft has announced that it will be issuing an emergency out-of-band patch for a critical security hole in some versions of Internet Explorer on Tuesday 30 March.

 

According to a Microsoft advisory, the emergency fix is designed to protect users of Internet Explorer 6 and Internet Explorer 7.

 

Microsoft normally bundles its security updates into a monthly package, known in the industry as “Patch Tuesday” (the second Tuesday of each month), and it is relatively unusual for the company to issue a fix for a security vulnerability outside of this cycle. Clearly Microsoft considers the bug particularly important to patch as soon as possible.

 

And in my opinion they’re right not to leave this vulnerability unpatched until April 13th. Earlier this month I described how hackers are actively exploiting the vulnerability, in their attempt to infect computers.

 

The researchers in SophosLabs reported some of the malicious spam messages we have seen being distributed which attempt to trick users into visiting websites that will exploit the zero day vulnerability and infect Windows PCs.

 

More information about the security flaw can be found in Sophos’s analysis of the problem.

 

So, if you are still using Internet Explorer versions 6 or 7, please be sure to update your systems as soon as Microsoft releases the fix. But, in all honesty, what are you doing running such old versions of IE anyway? Shouldn’t you have upgraded to Internet Explorer 8 by now?

 

By Graham Cluley, Sophos

 

 

Related Blogs

Protecting against the Internet Explorer zero day vulnerability

A few days ago Microsoft warned its users of an unpatched security hole in its products that could leave Windows users exposed to attacks by cybercriminals.

 

The Internet Explorer vulnerability, which has the CVE reference CVE-2010-0806 and fortunately does not affect Internet Explorer 8, is being actively exploited by malicious hackers. As reported on the SophosLabs blog, we have seen malicious spam messages being distributed which try and trick users into visiting websites that will exploit the zero day vulnerability to infect PCs.

 

Sophos detects the exploit scripts seen so far generically as Troj/ExpJS-R.

 

A proper patch from Microsoft for the problem is not yet available, but the company has issued a couple of workarounds that can be used by vulnerable Windows users.

 

One of Microsoft’s workarounds makes it easy for users to automate the changes that need to be made to the Windows registry (something that normally can give regular users the heebie-jeebies) to disable the “peer factory” class on Windows XP and Windows Server 2003.

 

They have also provided a workaround that enables Data Execution Prevention (DEP) on Internet Explorer 6 Service Pack 2 and Internet Explorer 7.

 

If you are responsible for the security of a number of Windows PC, rather than just your personal computer, you may wish to read the more detailed advice Microsoft provides on workarounds.

 

More information about the security flaw can be found in Sophos’s analysis of the problem.

 

There’s no word yet on when Microsoft will make available a proper fix for this problem, or indeed whether it will be included in their next scheduled “Patch Tuesday” bundle of patches scheduled for April 13th or released as an out-of-bound fix.

 

But I think it’s good that they gave the less geeky users of computers a fairly easy way to implement the workaround, rather than leaving them befuddled by complicated instructions.

 

This latest attack is a timely reminder for all Internet Explorer users that maybe it’s high time they updated their systems to version 8.0 of the popular web browser.

 

By Graham Cluley, Sophos

 

 

Operation Aurora: Microsoft knew about Internet Explorer flaw for four months

On Thursday there were sighs of relief from all corners as Microsoft released a security patch for a vulnerability that had been exploited by hackers.

 

The patch fixed a critical zero-day vulnerability in versions of Internet Explorer that would have meant visiting a boobytrapped webpage could have infected your computer, opening a backdoor for remote hackers.

 

Nasty stuff, especially as it was being alleged that the security hole had been exploited by Chinese hackers who broke into the likes of Google and Adobe in an attack dubbed “Operation Aurora”.

 

Interestingly, details are now emerging that Microsoft was first told about the security hole early last September – a full four months before it hit the world’s headlines.

 

According to reports, Microsoft was informed about the security problem with its software (and the potential for hackers to take advantage of it) by security researcher Meron Sellen, and the company planned to roll-out a fix in a cumulative update for Internet Explorer scheduled for next month.

 

Now, if you were one of the high-tech, financial or miltary targets that are said to have been struck by the Chinese hackers you might be feeling a little bit miffed that Microsoft didn’t roll out its patch for this critical vulnerability sooner.

 

For their part, Microsoft may well feel that as the flaw primarily affected Internet Explorer 6 that such organisations should already have updated to a more secure version of their browser (such as version 8.0).

 

Is four months too long a time to fix a security hole of this severity? I’m not sure. One thing we have to bear in mind is that it can be very complicated developing and then testing a security patch to ensure that it works in all environments with multiple different versions of the software being patched.

 

I would rather a patch worked than was rushed out and caused more problems than the bug it was trying to solve.

 

The thing we should all be grateful for is that there is now a patch for Internet Explorer, meaning there really is no excuse for any company to be breached via this particular security hole again.

 

But if Microsoft knew about this critical security vulnerability four months ago, I wonder how many other security holes there are that they secretly know about, but we don’t have a clue about yet.

 

Oh, and don’t forget, there’s nothing to suggest that the hackers only exploited this Internet Explorer flaw. Chances are that they took advantage of a whole bunch of different weaknesses in different products, as well as some social engineering tricks, to break into computers inside the affected companies.

 

By Graham Cluley, Sophos

 

German Government: Don’t use Internet Explorer

The German government has advised computer users not to run Internet Explorer and run an alternative browser instead, because of a critical zero-day security flaw.

 

The advice, which came in the form of an official statement from the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI) says that the as yet unpatched vulnerability is likely to be the same one blamed for hacker attacks on Google and other US companies last week.

 

The BSI advisory claims that although Microsoft’s advice to run Internet Explorer in ‘protected mode’ and disable Active Scripting makes it more difficult for hackers to attack, it does not completely prevent them.

Here is a rough translation (courtesy of Google Translate) of the BSI statement:

Critical vulnerability in Internet Explorer

BSI recommends the temporary use of an alternative browser
Bonn, 15.01.2010.

In Internet Explorer there exists a critical yet unknown vulnerability. The vulnerability allows attackers to inject malicious code via a specially crafted webpage into a Windows computer, in order to infiltrate and control computers. The past week has become known in the Hacker Attack on Google and other U.S. companies has probably exploited the vulnerability.

Affected are the versions 6, 7, and 8 of Internet Explorer on Windows XP, Vista and Windows 7. Microsoft has published a security advisory, in which it discusses ways of minimizing risk and is already working on a patch for the security hole. The BSI expects that this vulnerability will be used in a short time for attacks on the Internet.

Although running Internet Explorer in "protected mode" as well as disabling Acitve Scripting does make it more difficult to attack, it can not completely prevented. Therefore, the BSI recommends that users switch to an alternative browser while waiting for Microsoft's patch.

Once the vulnerability has been closed, the BSI on its warning and information service MayorCERT also informed. Keep informed about the civic-CERT and the BSI warns citizens and small and medium enterprises from viruses, worms and vulnerabilities in computer applications. The expert analysis of the BSI around the clock, the security situation in the Internet and send alerts when action is needed and safety information via E-mail.

 

The vulnerability means that a hacker could send you a message, perhaps pretending to be from a colleague or friend, and – if you clicked on a link in that email – your vulnerable installation of Internet Explorer would visit a malicious webpage infecting your Windows PC with a Trojan horse.

 

At that point the hackers could effectively grab control of your computer, with the potential of stealing company secrets, personal information or using it to spread spam or other attacks. The problem is that right now Microsoft doesn’t have a patch to fix their software.

 

Of course, the German government’s advice that internet users should switch to alternative browsers is unlikely to well received at Microsoft, and pressure is sure to grow on the company to release an “out-of-band” patch to resolve the security flaw as soon as possible.

 

With Google pointing the finger of blame for the attacks at China, it’s perhaps not surprising that the German government should be keen to ensure that its own computers (whether they be in government or industry) are not next in the firing line of hackers.

 

Alternative internet browsers such as Firefox, Safari and Opera have all suffered from security vulnerabilities in the past, of course.

 

You can read SophosLabs’s write-up on the Microsoft security flaw here, as well as further commentary by principal virus researcher Vanja Svajcer.

 

With all this talk about state-sponsored cyber-spying originating from China clearly spooking the German authorities, it’s perhaps a little ironic that the Germans themselves were accused of using the internet and malware to spy on another country a couple of years ago.

 

by Graham Cluley, Sophos

 

Danger! Internet Explorer zero-day vulnerability – no patch yet

Microsoft has released a security advisory about a previously unknown vulnerability in versions of Internet Explorer. There is currently no patch for the vulnerability which is being blamed, in part, for the high-profile attacks against Google, Adobe and other companies.

 

Microsoft has published some mitigation advice and workarounds which can reportedly help block attack vectors, but at the time of writing there is no official patch available.

 

There has been much speculation in the computer security industry (including some from myself!) that an Adobe PDF vulnerability could have been the route through which hackers delivered malware into Google and Adobe’s systems. Certainly we have seen a significant rise in the last year of targeted attacks exploiting vulnerabilities in Adobe’s code.

 

But researchers close to the Google/Adobe hacking investigation say that they have found no evidence so far of the attack exploiting Adobe’s software in this way. Indeed, a statement posted yesterday on Adobe’s blog confirms this.

 

So, right now, Microsoft Internet Explorer is being looked at with suspicion. And as the world’s most popular internet browser it’s obviously a serious cause for concern that an unpatched vulnerability that allows remote code execution exists that is being actively exploited by cybercriminals.

 

System administrators and computer owners around the world will be holding their breath that an official patch from Microsoft arrives sooner rather than later. In the meantime, Microsoft is recommending that Internet Explorer users use Data Execution Prevention (DEP) – a technology that is enabled in Internet Explorer by default but needs to be turned on in earlier versions.

by Graham Cluley, Sophos

 

Next Page »