UK Government: We’re sticking with Internet Explorer 6

Gulp. At the end of last week, along with thousands of other Brits, I received an email from the UK Government telling me that they had responded to a petition I had signed urging the Prime Minister to encourage government departments to upgrade from Internet Explorer 6.

 

You can read the UK Government’s response here.

 

In a nutshell, Her Majesty’s Government says it is more cost-effective to stick with Internet Explorer 6 (which has been dogged with security issues) rather than switch to an alternative browser or a more up-to-date version.

 

Too expensive, huh?

 

You have to wonder if that’s going to be considered an acceptable excuse by the general public when there’s a serious security breach that exploits a creaky old browser that’s been around since 2001.

 

Where’s the wisdom in sticking with IE 6 when Microsoft itself has urged users to upgrade to a more secure version, many websites are dropping support for it, and security professionals advise that installations of Internet Explorer 6 should be taken outside and beaten with a heavy stick.

 

Read More…

 

 

Microsoft readies emergency patch for Shortcut zero-day flaw

Updated Good news from Microsoft. It has announced that it plans to release an emergency out-of-band update to patch a critical Windows security vulnerability that is being actively exploited by malware.

 

The so-called Shortcut exploit is being exploited by specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction.

 

Malware exploiting the vulnerability have included Stuxnet, Chymin and Dulkis, Zbot, and – most recently – Sality.

 

“In the past few days, we’ve seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers,” Christopher Budd, Senior Security Response Communications Manager at Microsoft, wrote on the MSRC blog.

 

Microsoft normally publishes its security patches on the second Tuesday of each month, but this one is scheduled to be released today (Monday, August 2 2010) at 10am PST (1800 BST).

 

Whenever Microsoft releases an out-of-band patch it’s a big deal – they clearly think it’s an important enough issue to break their regular cycle and you should pay attention too. We would recommend that computer users apply the patch as soon as possible.

 

As Microsoft is issuing a permanent patch for the shortcut vulnerability, we would recommend that users uninstall the Sophos Windows Shortcut Exploit Protection Tool before applying the Microsoft fix.

 

 

Read More…

 

 

New version of Microsoft Security Essentials is now available!

Microsoft has released the beta for the next version of Microsoft Security Essentials. The software, Security Essentials, is a free toolset for any Windows user to protect themselves from the malware that plagues the world of Windows computing.

 

Microsoft Security Essentials is a free download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure – when you’re green, you’re good. It’s that simple. New features in the beta of Microsoft Security Essentials include:

 

• Windows Firewall integration – During setup, Microsoft Security Essentials will now ask if you would like to turn the Windows Firewall on or off.

• Enhanced protection for web-based threats – Microsoft Security Essentials now integrates with Internet Explorer to provide protection against web-based threats.

• New protection engine – The updated anti-malware engine offers enhanced detection and cleanup capabilities with better performance.

• Network inspection system – Protection against network-based exploits is now built in to Microsoft Security Essentials.

 

To download the beta of Microsoft Security Essentials, click here to visit the Microsoft Connect page to register for the beta. Once completed – you will find the instructions for downloading and installing the beta.

 

 

Source : MicrosoftFeed.com

 

Security risks for those who stay with Windows XP SP2

Tomorrow (Tuesday 13 July 2010) Microsoft will issue its last ever security patches for Windows XP Service Pack 2 (SP2).

 

The service pack, which was first released in August 2004, will no longer be supported by Microsoft after Tuesday meaning that users will no longer receive any security patches – regardless of how critical any discovered vulnerability may be.

 

Furthermore, it’s not just Windows XP SP2 that Microsoft won’t be updating – but your installations for Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components also won’t receive security patches if you’re running that version of the operating system.

 

You may be wondering – “What’s the problem? After all, Windows XP SP3 was released in 2008, and replaced SP2, right?”

 

Well, yes. It did. But recently published statistics suggest that an alarming 77% of organisations are running Windows XP SP2 on 10% or more of their PCs.

 

That’s an awful lot of computers which may not be properly protected when a new vulnerability is discovered – and could potentially be vulnerable to a malware attack.

 

Microsoft would probably like you to update your computers to Windows 7, but that may be a tall order for many older PCs. If you’re not ready for Windows 7, make sure you apply the free update to Windows XP SP3. Windows XP SP3 will be supported by Microsoft until at least April 2014.

 

Read More…

Critical security updates from Microsoft and Adobe

It was “Patch Tuesday” yesterday, which means another parcel of security updates for computer users to unwrap, and this time the fixes aren’t just from Microsoft, but from Adobe too.

 

First on the menu is Microsoft, which has served up two security bulletins detailing vulnerabilities that could be exploited by hackers to execute malicious code (such as a worm) on your computer.

 

The first of these security holes exists in Outlook Express, Windows Mail, and Windows Live Mail. Microsoft’s Security Research & Defense blog goes into some detail about the vulnerability, explaining that although the security hole is given a “critical rating” on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, it is considered less serious for Windows 7 users as Windows Live Mail is not installed by default on that platform.

 

The other patch from Microsoft addresses a vulnerability in Visual Basic for Applications, a component used by Microsoft Office and other third-party products. Microsoft has given this security update its highest possible rating – “Critical” – for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications. It is also rated “Important” for all supported editions of Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office System.

 

Next up is Adobe, who have released patches to squash over 20 security vulnerabilities in its Shockwave and ColdFusion products.

 

The critical vulnerabilities identified in Adobe Shockwave Player 11.5.6.606 and earlier versions impact both Windows and Macintosh users, and could allow attackers to run malicious code on your computer.

 

Adobe recommends that users update their version of Adobe Shockwave Player to version 11.5.7.609.

 

Details of the ColdFusion vulnerabilities, classed as “important”, are provided in Adobe Security Bulletin APSB10-11.

 

Enough of waffle. Download and install the patches if your computer is affected.

 

By Graham Cluley, Sophos

 

Microsoft to release emergency Internet Explorer patch on Tuesday

Microsoft has announced that it will be issuing an emergency out-of-band patch for a critical security hole in some versions of Internet Explorer on Tuesday 30 March.

 

According to a Microsoft advisory, the emergency fix is designed to protect users of Internet Explorer 6 and Internet Explorer 7.

 

Microsoft normally bundles its security updates into a monthly package, known in the industry as “Patch Tuesday” (the second Tuesday of each month), and it is relatively unusual for the company to issue a fix for a security vulnerability outside of this cycle. Clearly Microsoft considers the bug particularly important to patch as soon as possible.

 

And in my opinion they’re right not to leave this vulnerability unpatched until April 13th. Earlier this month I described how hackers are actively exploiting the vulnerability, in their attempt to infect computers.

 

The researchers in SophosLabs reported some of the malicious spam messages we have seen being distributed which attempt to trick users into visiting websites that will exploit the zero day vulnerability and infect Windows PCs.

 

More information about the security flaw can be found in Sophos’s analysis of the problem.

 

So, if you are still using Internet Explorer versions 6 or 7, please be sure to update your systems as soon as Microsoft releases the fix. But, in all honesty, what are you doing running such old versions of IE anyway? Shouldn’t you have upgraded to Internet Explorer 8 by now?

 

By Graham Cluley, Sophos

 

 

Related Blogs

Protecting against the Internet Explorer zero day vulnerability

A few days ago Microsoft warned its users of an unpatched security hole in its products that could leave Windows users exposed to attacks by cybercriminals.

 

The Internet Explorer vulnerability, which has the CVE reference CVE-2010-0806 and fortunately does not affect Internet Explorer 8, is being actively exploited by malicious hackers. As reported on the SophosLabs blog, we have seen malicious spam messages being distributed which try and trick users into visiting websites that will exploit the zero day vulnerability to infect PCs.

 

Sophos detects the exploit scripts seen so far generically as Troj/ExpJS-R.

 

A proper patch from Microsoft for the problem is not yet available, but the company has issued a couple of workarounds that can be used by vulnerable Windows users.

 

One of Microsoft’s workarounds makes it easy for users to automate the changes that need to be made to the Windows registry (something that normally can give regular users the heebie-jeebies) to disable the “peer factory” class on Windows XP and Windows Server 2003.

 

They have also provided a workaround that enables Data Execution Prevention (DEP) on Internet Explorer 6 Service Pack 2 and Internet Explorer 7.

 

If you are responsible for the security of a number of Windows PC, rather than just your personal computer, you may wish to read the more detailed advice Microsoft provides on workarounds.

 

More information about the security flaw can be found in Sophos’s analysis of the problem.

 

There’s no word yet on when Microsoft will make available a proper fix for this problem, or indeed whether it will be included in their next scheduled “Patch Tuesday” bundle of patches scheduled for April 13th or released as an out-of-bound fix.

 

But I think it’s good that they gave the less geeky users of computers a fairly easy way to implement the workaround, rather than leaving them befuddled by complicated instructions.

 

This latest attack is a timely reminder for all Internet Explorer users that maybe it’s high time they updated their systems to version 8.0 of the popular web browser.

 

By Graham Cluley, Sophos

 

 

Check your password — is it strong?

Your online accounts, computer files, and personal information are more secure when you use strong passwords to help protect them.

 

Test the strength of your passwords: Click Here

 

Powered by Microsoft

Fake Conflicker.B Infection Alert puts internet users at risk

The global network of spamtraps controlled by the experts inside SophosLabs are seeing a swarm of attacks today, posing as an email warning about the Conficker worm.

 

Here is a typical message that has been spammed out by hackers:

Subject: Conflicker.B Infection Alert
Attached file: open.zip

 

Message body:

 

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

 

Opening the file attached to the email (in this case it’s called open.zip) infects your computer with malware which Sophos detects as Mal/EncPk-KW.

 

The wording is nearly identical to a similar attack I blogged about last October.

 

What surprises me is that during the last few months the hackers behind the attack appear to have made no effort to fix mistakes in their disguise – for instance, it should say Conficker in the subject line not Conflicker!

 

I can only presume that they’re counting on their potential victims not spotting that typo. It certainly has not stopped the cybercriminals from sending out the infected messages en masse today. Presently this malicious spam campaign is one of the most commonly seen examples of file attachment malware being spread around the world:

 

By Graham Cluley, Sophos

 

Tests Show Problems With AV Detections

Dateline: Moscow.

 

Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.

 

The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.

 

After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.

 

But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.

 

Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.

 

Click on these to see some of the detections:

• http://www.virustotal.com/analisis/5aee7…1264831301
• http://www.virustotal.com/analisis/0de6d…1264867956
• http://www.virustotal.com/analisis/b2a11…1264867934
• http://www.virustotal.com/analisis/7e79b…1264867923
• http://www.virustotal.com/analisis/0b974…1264831241
• http://www.virustotal.com/analisis/0b974…1264867640

 

But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.

 

And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”

 

I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.

 

This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.

 

Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.

 

By Larry Seltzer from PCMag.com

 

 

Next Page »