Operation Aurora: Microsoft knew about Internet Explorer flaw for four months

On Thursday there were sighs of relief from all corners as Microsoft released a security patch for a vulnerability that had been exploited by hackers.

 

The patch fixed a critical zero-day vulnerability in versions of Internet Explorer that would have meant visiting a boobytrapped webpage could have infected your computer, opening a backdoor for remote hackers.

 

Nasty stuff, especially as it was being alleged that the security hole had been exploited by Chinese hackers who broke into the likes of Google and Adobe in an attack dubbed “Operation Aurora”.

 

Interestingly, details are now emerging that Microsoft was first told about the security hole early last September – a full four months before it hit the world’s headlines.

 

According to reports, Microsoft was informed about the security problem with its software (and the potential for hackers to take advantage of it) by security researcher Meron Sellen, and the company planned to roll-out a fix in a cumulative update for Internet Explorer scheduled for next month.

 

Now, if you were one of the high-tech, financial or miltary targets that are said to have been struck by the Chinese hackers you might be feeling a little bit miffed that Microsoft didn’t roll out its patch for this critical vulnerability sooner.

 

For their part, Microsoft may well feel that as the flaw primarily affected Internet Explorer 6 that such organisations should already have updated to a more secure version of their browser (such as version 8.0).

 

Is four months too long a time to fix a security hole of this severity? I’m not sure. One thing we have to bear in mind is that it can be very complicated developing and then testing a security patch to ensure that it works in all environments with multiple different versions of the software being patched.

 

I would rather a patch worked than was rushed out and caused more problems than the bug it was trying to solve.

 

The thing we should all be grateful for is that there is now a patch for Internet Explorer, meaning there really is no excuse for any company to be breached via this particular security hole again.

 

But if Microsoft knew about this critical security vulnerability four months ago, I wonder how many other security holes there are that they secretly know about, but we don’t have a clue about yet.

 

Oh, and don’t forget, there’s nothing to suggest that the hackers only exploited this Internet Explorer flaw. Chances are that they took advantage of a whole bunch of different weaknesses in different products, as well as some social engineering tricks, to break into computers inside the affected companies.

 

By Graham Cluley, Sophos

 

Autorun no more

A little while ago, Microsoft released an update which partially disables some autorun functionality on Windows operating systems prior to Windows 7. The update, known as KB971029, is intended for Windows XP, Vista, Server 2003, and Server 2008. The autorun function is used to automatically start installation processes from CDs, DVDs, and USB drives, as well as other types of removable media.

 

Autorun works by using a file named autorun.inf found in the root of the file system for removable drives. While this is a helpful process when used with a trusted resource, such as a software installer from a CD, it has long been a successful malware infection vector on rewritable drives.

 

At Kaspersky, we’ve frequently urged Microsoft to disable this process, as anything that automatically installs software or code without properly informing the user can and will be used maliciously. In the past we’ve discovered infected consumer devices, and the autorun function has been used to spread incredibly successful threats as Conficker (Kido). This listing gives you a partial idea of just how often “autorun” gets used as an infection vector.

 

Early versions of Windows, including Windows XP Service Pack 1 and earlier, would automatically launch software on a rewritable drive with no notification. XP Service Pack 2 and later would automatically launch a window when the drive was inserted, and you could then choose to run an executable. In fact, you could check a box at the bottom to “Always do the selected action”. Malware creators often create an autorun.inf file on removable media when a malicious program launches, and this extends the attack vectors beyond network propagation. A shared USB drive becomes a threat to a network that may not even have Internet access.

 

With Windows XP Service Pack 2, and in Vista and Server 2008, a new feature called Autoplay was introduced. The Autoplay function pops up a window when an autorun.inf file is detected and requests action from the user. The options are to install a program, which launches the intended executable, or to open the folder to view files. While this approach is better than automatically running an executable without user knowledge, it’s not exactly safe. Most casual computer users are conditioned to keep clicking until the file opens, so this just adds a step on the road to infection. The update mentioned above disables the autoplay function on writable media like USB drives, while leaving the autoplay function intact for CDs and DVDs.

 

 

Windows 7 disables the function altogether on writable external drives by default. This is a much safer approach; although it makes it more difficult for the average person to find out what to do next when trying to install something new, there’s always a trade-off between security and usability. While we commend Microsoft for finally implementing this fix, it took far too long. Countless infections could have been avoided, and Conficker might have spread less widely if this simple fix had been pushed out earlier.

 

Source: viruslist.com

Firefox to alert users about out-of-date Adobe Flash

New versions of Firefox will warn users if their version of the Adobe Flash Player plugin is out-of-date.

 

After downloading the next Firefox release in 3.5.3 or 3.0.1.4, users with out-of-date versions of Flash will be presented with a message saying “you should update Adobe Flash right now”, together with a link to the free update on Adobe’s website.

 

Mozilla is focusing on Adobe Flash Player due to its popularity and because many internet users still carry out-of-date versions. It said this was a significant security risk and could potentially cause crashes and stability problems.

 

Mozilla said it would work with other plugin vendors to provide similar checks for their products in the future.

 

Adobe’s security problems with software have been well documented this year, with multiple flaws seen in Flash Player as well as PDF software Reader and Acrobat.

 

It also started running a regular security update cycle similar to Microsoft’s Patch Tuesday.

 

By Asavin Wattanajantra from itpro.co.uk

 

Cracked Windows – Microsoft warns of critical flaw

Microsoft has published a security advisory warning of a critical vulnerability in Microsoft DirectX on older versions of Windows.

The problem is in the way that Microsoft DirectShow handles QuickTime format files – meaning that if a user opened a maliciously crafted QuickTime media file, the hackers could run dangerous code on your computer.

Read more

« Previous Page