Browser headaches pile up for Redmond
Microsoft has warned of yet another serious vulnerability in Internet Explorer (IE), this time affecting the way the browser renders locally stored content.
The flaw could allow an attacker to steal user data through a specially crafted web page. The hole has yet to be patched, and Microsoft declined to give any further details.
Microsoft confirmed in a Security Advisory that the vulnerability is present in all versions of IE, but said that users running Protected Mode in IE7 and IE8 on Windows 7 or Windows Vista are not at risk.
The company considers only Windows XP machines and systems with Protected Mode disabled to be at risk.
Microsoft is investigating the flaw and is likely to release a patch next Tuesday as part of its monthly security update.
The warning is the latest in a string of bad publicity for Microsoft’s browser. A zero-day flaw surfaced in January which sent Microsoft scrambling to issue an update, and led some security experts to recommend that users dump the browser entirely.
Source:
V3.co.uk
New service monitors rogue posts.
Security vendor Websense if offering Facebook users and businesses a new free ‘firewall’ service that monitors their pages for malicious posts, links and spam.
Defensio 2.0 checks all posts to Facebook in real time against Websense’s ThreatSeeker Network, a database of problem URLs, before deciding whether to categorise a post as malicious or unwanted. This also draws from data gathered by US ISP Radialpoint and URL shortening service bit.ly before performing further heuristic analysis as a final check.
The service is free for anyone with fewer than 50,000 posts per month, and for companies with 15 employees of less. For professional sites or sites with larger volumes of posts, the service starts at $5 (£3) per month, per site.
The issue of abuse of blog and forums by malware hawkers is long established and the company’s own research indicates that it’s become a big enough issue to drown most unprotected sites with posting spam.
Defensio monitoring has also been integrated with the company’s Web Security Gateway system.
Source:
NetworkWorld.com
US-CERT advises users to update.
he U.S. Computer Emergency Readiness Team advised RealPlayer users Friday to apply a new security update for the media-playing software.
The update, issued earlier this week, fixes 11 vulnerabilities in RealPlayer, and were issued for Windows, Mac and Linux versions of the product.
Although CERT thinks the patch is important, RealNetworks said in its advisory that it has received “no reports of any machines actually being compromised as a result of the now-remedied vulnerabilities.”
Although RealPlayer has lost market share recently to rivals such as Windows Media Player and iTunes, it is still widely used and has been exploited in past cyberattacks.
Source:
NetworkWorld.com
‘Targeted and co-ordinated nature of the attack’ marks it out, says George Kurtz
Last week’s revelation of a series of targeted Chinese cyber attacks on Google and at least 20 other firms was a “watershed” moment in cyber security, according to George Kurtz, chief technology officer at security giant McAfee.
Writing on the firm’s Security Insights blog yesterday, Kurtz said that, although his researchers see ” lots of attacks that use complex malware combined with zero-day exploits”, the attack on Google, which McAfee has dubbed ‘Operation Aurora’, was notable for its motivation and sophistication.
“What really makes this is a watershed moment in cyber security is the targeted and co-ordinated nature of the attack, with the main goal appearing to be to steal core intellectual property,” he wrote.
“The list of organisations reported to have been hit by the cyber attack continues to grow. As a result, many companies and governments are asking us how they can determine if they were targeted in the same sophisticated cyber attack that hit Google.”
It was thought at first that flaws in Adobe software had been exploited to try and gain entry into Google’s systems, but it later emerged that the hackers in fact used a zero-day vulnerability in Internet Explorer. That code is now publicly available, increasing the urgency of a patch.
Microsoft has since released an updated security advisory urging users to upgrade to version 8 of the popular browser, which is unaffected.
“Customers should also consider applying the workarounds and mitigations provided in our Security Advisory, such as putting internet zone security settings to High,” said a Microsoft spokesperson.
Source:
V3.co.uk
In a move bound to cause red faces at Redmond, Microsoft has been forced to admit that a flaw in its Internet Explorer (IE) browser was the route by which Chinese hackers sought to infiltrate Google’s corporate systems.
“Based on our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks,” wrote Mike Reavey, director of the Microsoft Securtity Response Center, in a blog posting.
Microsoft’s announcement came after McAfee’s chief technology officer, George Kurtz, wrote in a blog posting that the firm had discovered a new vulnerability in IE that had been exploited by the hackers.
“In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer,” he said.
Kurtz added that the targeted attack used tried and tested methods to get users to click on a link that then compromised their machine.
“These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s browser,” he added.
As a result of this, Microsoft issued guidelines to help customers reduce the risk of further attacks and called on firms to remain vigilant against the continued threats that exist.
“Attacks targeting specific corporate networks are becoming more prevalent in the threat landscape and organisations should follow defence-in-depth best practices, and deploy multiple layers of protection to improve their security posture,” added Reavey.
Source:
V3.co.uk
Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer.
Microsoft Security Advisory (979352)
This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.
The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.
Mitigating Factors:
• Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
Affected Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 8 for Windows Server 2003 Service Pack 2, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 in Windows 7 for 32-bit Systems
Internet Explorer 8 in Windows 7 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems
Non-Affected Software
Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4
Search giant seeks to make security more embedded in web email.
Google has announced that it is to standardise around HTTPS for its Gmail service.
Sam Schillace, Gmail engineering director, said in a blog post that the company is turning on HTTPS as standard on the service to encrypt messages being sent in and out of its servers.
“We initially left the choice of using it up to you because there’s a downside: https can make your mail slower, since encrypted data doesn’t travel across the web as quickly as unencrypted data,” he said.
“Over the last few months, we’ve been researching the security/latency tradeoff and decided that turning HTTPS on for everyone was the right thing to do. We are currently rolling out default HTTPS for everyone.”
Google introduced HTTPS to Gmail in 2008 as an option, and has since been under pressure to roll it out elsewhere. Last year an open letter from security professionals prompted the company to promise HTTPS support on all Google Apps.
Users who are already on HTTPS need do nothing, Schillace said, and controls to turn it off are in the settings menu of Gmail.
People using HTTPS Gmail offline may experience some problems, he said, but the company is working on it. In the meantime a Google advisory suggests switching the offline Office applications so that they synchronise via the HTTPS server.
Source:
V3.co.uk
Denial of service and DNS spoofing possible.
PowerDNS has released an update to its high performance DNS server software, which addresses several critical vulnerabilities that could be exploited to redirect traffic for a domain name or trigger a denial of service condition. Network administrators are advised to upgrade the PowerDNS Recursor to version 3.1.7.2.
The PowerDNS software, even if not as popular as BIND or other, is still used by large companies such as Wikimedia (Wikipedia), as well as NICs, ISPs and domain registrars like AOL, Shaw Cable, Register.com, Tucows or 1&1. In total, it is estimated that 8 to 10 million DNS zones are managed using PowerDNS.
The most severe vulnerability addressed by the 3.1.7.2 update is identified as CVE-2009-4009. “Using specially crafted packets, it is possible to force a buffer overflow in the PowerDNS Recursor, leading to a crash,” the developers explain. A workaround for this flaw involves using “allow-from” to restrict the users being serviced. Running the software from an account with restricted privileges can also reduce the risk of full system compromise.
Source:
Softpedia
I had problem with ‘Windows Live Space’ closing my Space down…. they said ( in a round about way ) that it may be due to a breach of contract.
you can read the full story here:
Smokeys web log
It was re-instated with an apology saying:
You are absolutely right. I would like to say at Microsoft we are perfect but we are not. In this case a mistake was made and I am deeply apologetic to you for that. I have had your accounts reopened and I am addressing the problem that led to the mistake being made in the first place.
Should you have any further issues or problems feel free to contact me directly via the email I used to post this. Again I apologize for the mistake and hope it comes as some consolation that as a result of learning from this we are better able to serve you and all our customers in the future.
But after nearly a month, they have closed it down again!
I get no joy from them, they speak with ‘canned speeches’ and won’t answer a direct question.
Is this what we expect from Microsoft?
Come on guys…. get your act together.
