Microsoft has released Security Advisory 980088 to alert users of a vulnerability in Microsoft Internet Explorer. The advisory indicates that exploitation of this vulnerability may allow an attacker to harvest user credentials and other sensitive information by enticing users to visit a maliciously crafted web page.
US-CERT encourages users and administrators to review Microsoft Security Advisory 980088 and apply the suggested workarounds of running Internet Explorer in Protected Mode and setting the Internet zone security setting to High to mitigate the risk of unwanted information disclosure.
Tag Archives: Internet Explorer
Microsoft Releases Security Advisory 980088
Filed under Security Advisories
Tagged as 980088, advisory, IE, Internet Explorer, Microsoft, protected mode, security, US-CERT
Tagged as 980088, advisory, IE, Internet Explorer, Microsoft, protected mode, security, US-CERT
France and Germany warn citizens to avoid using Internet Explorer
The governments of both France and Germany have issued official warnings to their citizenry, saying that, until Microsoft releases a patch for the widely-used Internet Explorer web browser, it is a threat to network security and should not be used.
Tech news website eWeek reports that the exploit that has caused such widespread concern in Europe is the same one that was used to attack a number of corporate systems in the U.S., including Google, which has since caused that company to announce that it would cease cooperation with the Chinese government. Concerns have been raised about the Chinese government's possible involvement in the attacks.
The French and German governments both advised their citizens to switch to alternative web browsers, while eWeek reports that Microsoft has said the vulnerability can be avoided with a switch to Internet Explorer 8, thought to be immune to the exploit.
The French information agency CERTA said in a statement that it strongly advised users to disable dynamic code and to browse the internet with limited user rights active on the machine.
Tech news website eWeek reports that the exploit that has caused such widespread concern in Europe is the same one that was used to attack a number of corporate systems in the U.S., including Google, which has since caused that company to announce that it would cease cooperation with the Chinese government. Concerns have been raised about the Chinese government's possible involvement in the attacks.
The French and German governments both advised their citizens to switch to alternative web browsers, while eWeek reports that Microsoft has said the vulnerability can be avoided with a switch to Internet Explorer 8, thought to be immune to the exploit.
The French information agency CERTA said in a statement that it strongly advised users to disable dynamic code and to browse the internet with limited user rights active on the machine.
Microsoft issues Internet Explorer security update
Filed under Security News
Tagged as bug, IE, Internet Explorer, Microsoft, MS09-054, security, update
Tagged as bug, IE, Internet Explorer, Microsoft, MS09-054, security, update
Microsoft on Monday issued a security bulletin that updates a previous patch for Internet Explorer to resolve two issues. The IE bug only affects users who already applied the earlier patch.
Microsoft announced yesterday at the Microsoft Security Response Center that the security update MS09-054 released as part of the October Security Bulletin Release was causing errors in certain browsing scenarios.
The company said it is "not currently aware of any attempts to attack the vulnerabilities."
The MS09-054 bulletin is a fix rated critical for all Windows users. The bulletin addressed three flaws in all versions of IE and also an attack vector in the Firefox web browser for users with the Windows Presentation Foundation (WPF) plugin enabled.
Microsoft said users who have not applied the patch MS09-054 should first apply that fix before applying the fix from bulletin 976749.
The prior bulletin caused some confusion for Firefox maker Mozilla, which decided to block the Microsoft WPF add-on along with another .NET Framework Assistant add-on. Mozilla later unblocked the .NET Framework add-on within Firefox.
Microsoft announced yesterday at the Microsoft Security Response Center that the security update MS09-054 released as part of the October Security Bulletin Release was causing errors in certain browsing scenarios.
The company said it is "not currently aware of any attempts to attack the vulnerabilities."
The MS09-054 bulletin is a fix rated critical for all Windows users. The bulletin addressed three flaws in all versions of IE and also an attack vector in the Firefox web browser for users with the Windows Presentation Foundation (WPF) plugin enabled.
Microsoft said users who have not applied the patch MS09-054 should first apply that fix before applying the fix from bulletin 976749.
The prior bulletin caused some confusion for Firefox maker Mozilla, which decided to block the Microsoft WPF add-on along with another .NET Framework Assistant add-on. Mozilla later unblocked the .NET Framework add-on within Firefox.
Microsoft wants web developers to support IE 8
Filed under Security News
Tagged as comply, developers, IE 8, Internet Explorer, Microsoft, standards
Tagged as comply, developers, IE 8, Internet Explorer, Microsoft, standards
Microsoft's web development team is reaching out to web developers to help websites support Internet Explorer versions 6,7 and 8.
IE 8, the latest version of the Windows web browser, is compliant with web standards, according to Microsoft's Steve Guttman of the Expression Web team. Expression Web created a free web tool, SuperPreview, for developers.
"Internet Explorer 8 is an important release because it reconfirms Microsoft's commitment to interoperability and renewed emphasis on Web Standards," Guttman said on the IE blog.
Guttman said his team is in the process of doing significant tooling to support existing and emerging specifications.
Expression web "helps developers and site owners in migrating their sites from earlier versions of Internet Explorer to the standards-compliant Internet Explorer 8," Guttman said.
The full version of SuperPreview also supports Firefox and ships with Expression Web 3.
Web developers are locked in a battle over different versions of web browsers and website development standards. The next version of the core language of the web is HTML5.
The current browser war pits IE against open source browsers like Firefox and Chrome. Microsoft's IE 8 recently beat the others in a lab test the company sponsored of web browser performance against websites containing malware.
IE 8, the latest version of the Windows web browser, is compliant with web standards, according to Microsoft's Steve Guttman of the Expression Web team. Expression Web created a free web tool, SuperPreview, for developers.
"Internet Explorer 8 is an important release because it reconfirms Microsoft's commitment to interoperability and renewed emphasis on Web Standards," Guttman said on the IE blog.
Guttman said his team is in the process of doing significant tooling to support existing and emerging specifications.
Expression web "helps developers and site owners in migrating their sites from earlier versions of Internet Explorer to the standards-compliant Internet Explorer 8," Guttman said.
The full version of SuperPreview also supports Firefox and ships with Expression Web 3.
Web developers are locked in a battle over different versions of web browsers and website development standards. The next version of the core language of the web is HTML5.
The current browser war pits IE against open source browsers like Firefox and Chrome. Microsoft's IE 8 recently beat the others in a lab test the company sponsored of web browser performance against websites containing malware.
Internet Explorer 8 aces web browser security test
Microsoft's Internet Explorer 8 (IE8) web browser outperformed Safari 4, Firefox 3, Chrome 2 and Opera 10 Beta in a Microsoft-sponsored security test by NSS labs.
The test measured the ability of the different web browsers to catch socially engineered malware attacks - where cybercriminals use web links to malicious sites featuring downloads of Trojan malware files disguised as applications such as video codecs.
In live testing over a two-week period in July, IE8 caught 81 percent of malware threats, 54 percent better than Firefox 3, the next best score, NSS Labs said in its report.
Firefox 3 caught 27 percent of live threats, the best among products utilizing the Google SafeBrowsing API. Apple's Safari 4 recognized just 21 percent of malware sites, Google Chrome just 7 percent and Opera only 1 percent.
Web browsers rely on in-the-cloud reputation software to decipher if a website URL hosts malicious content. However, not all browsers use the same techniques for determining which URLs are malicious.
"The use of reputation systems to assist browsers in the fight against socially engineered malware is a strong use of cloud technologies," NSS Labs said. "But not all vendor implementations and daily operations yield the same results."
The test measured the ability of the different web browsers to catch socially engineered malware attacks - where cybercriminals use web links to malicious sites featuring downloads of Trojan malware files disguised as applications such as video codecs.
In live testing over a two-week period in July, IE8 caught 81 percent of malware threats, 54 percent better than Firefox 3, the next best score, NSS Labs said in its report.
Firefox 3 caught 27 percent of live threats, the best among products utilizing the Google SafeBrowsing API. Apple's Safari 4 recognized just 21 percent of malware sites, Google Chrome just 7 percent and Opera only 1 percent.
Web browsers rely on in-the-cloud reputation software to decipher if a website URL hosts malicious content. However, not all browsers use the same techniques for determining which URLs are malicious.
"The use of reputation systems to assist browsers in the fight against socially engineered malware is a strong use of cloud technologies," NSS Labs said. "But not all vendor implementations and daily operations yield the same results."
Microsoft: IE6 support is about security, customer choice
Web developers and IT professionals have recently launched a campaign to "Kill IE6," the eight-year-old Internet Explorer web browser that is now two versions out of date.
But Microsoft insists it must continue supporting the browser to protect customers' web security and because it committed to do so.
"Dropping support for IE6 is not an option because we committed to supporting the IE included with Windows for the lifespan of the product," said Dean Hachamovitch, Microsoft's IE general manager, on the IE blog.
Eric Lawrence, Microsoft's IE security manager, said web security is also a concern. Drooping support for IE6 would mean Microsoft would no longer issue security patches and updates for the browser.
But many web users have expressed a preference for IE6 and might continue to use an unpatched browser, leaving them vulnerable to malware attacks.
"Putting customers at risk isn't an option," Lawrence said on the IEInternals blog. "Having said that, we work hard at evangelizing new browser releases and getting folks to upgrade. While we still support IE6, there's no question that users on IE8 will have a more secure, reliable, and performant [sic] experience."
But Microsoft insists it must continue supporting the browser to protect customers' web security and because it committed to do so.
"Dropping support for IE6 is not an option because we committed to supporting the IE included with Windows for the lifespan of the product," said Dean Hachamovitch, Microsoft's IE general manager, on the IE blog.
Eric Lawrence, Microsoft's IE security manager, said web security is also a concern. Drooping support for IE6 would mean Microsoft would no longer issue security patches and updates for the browser.
But many web users have expressed a preference for IE6 and might continue to use an unpatched browser, leaving them vulnerable to malware attacks.
"Putting customers at risk isn't an option," Lawrence said on the IEInternals blog. "Having said that, we work hard at evangelizing new browser releases and getting folks to upgrade. While we still support IE6, there's no question that users on IE8 will have a more secure, reliable, and performant [sic] experience."
Microsoft Announces Free PC Security Product
Filed under Security News
Tagged as Internet Explorer, Microsoft, Microsoft Windows, Morro, Morro Castle, Online Services and Windows Division, product management, security software, security solution, Windows 7, Windows Vista, Windows XP
Tagged as Internet Explorer, Microsoft, Microsoft Windows, Morro, Morro Castle, Online Services and Windows Division, product management, security software, security solution, Windows 7, Windows Vista, Windows XP
If you heard a deafening swallowing sound sometime in the past day or so, we can explain its origin. The corporate makers of security software must have collectively gulped when Microsoft announced its plans to offer a free consumer security product.
“Morro,” as the product’s called at the moment (probably named after Morro Castle), is supposed to take care of a lot of stuff. Viruses, spyware, rootkits, and Trojans are all on its kill list. It should require little in the way of bandwidth and computing resources, too, giving Microsoft an “in” with the growing netbook audience.
Amy Barzdukas, Microsoft’s senior director of product management for the Online Services and Windows Division, explained in a statement how Microsoft got the idea for Morro, saying, “Customers around the world have told us that they need comprehensive, ongoing protection from new and existing threats, and we take that concern seriously.”
She then continued, “This new, no-cost offering will give us the ability to protect an even greater number of consumers, especially in markets where the growth of new PC purchases is outpaced only by the growth of malware.”
So when does the rush of consumers getting Morro and software makers going out of business begin? Not for a while. Windows Live OneCare is scheduled to remain on sale through June 30th, 2009, and it’s during the phasing out of this product that Morro is supposed to become available for download.
What’s more, Morro may not achieve omnipresence even then. Since Microsoft has only advertised it as a security solution for Windows XP, Windows Vista, and Windows 7, a few people are sure to be left out in the cold. Internet Explorer’s also mentioned, which might mean Firefox users will be ignored.
Then there are the intentional gaps and potential for problems to consider. In regards to that first subject: encryption, firewalls, password protection, parental controls, and backup programs haven’t been addressed.
Still, Morro’s introduction looks to be a revolutionary moment in the PC security solution industry. Like that first collective gulp, listen for the sound of Tylenol bottles being opened as the end of June draws closer.
Microsoft, Adobe security updates coming on ‘patch Tuesday’
Filed under Security News
Tagged as acrobat, adobe, Brad Arkin, Internet Explorer, Microsoft, Microsoft Windows, security chief, software security approach, Unix
Tagged as acrobat, adobe, Brad Arkin, Internet Explorer, Microsoft, Microsoft Windows, security chief, software security approach, Unix
Adobe will release its first batch of quarterly security patches on Tuesday June 9th, the same day that the monthly security update comes out from Microsoft.
Adobe said it expects to deliver critical security updates for Adobe Reader and Acrobat versions 7.x, 8.x and 9.x for Windows and Macintosh, with Unix updates coming "when available."
The company said it would begin issuing quarterly patches to coincide with Microsoft's "patch Tuesday" after it came under intense criticism for its perceived lack of responsiveness to flaws in Reader and Acrobat.
Flaws in the software allowed hackers to remotely execute code as happened in February via a JBIG2 image file that unleashed a Trojan horse.
In a blog post last month, Adobe's security chief Brad Arkin said the company took the criticism to heart.
"The JBIG2 issue also sparked a lot of conversation internally at Adobe from executives to testers and developers," Arkin wrote. "What started out as a routine incident response expanded to a broader effort by Adobe Reader and Acrobat engineers, culminating in permanent changes to our software security approach for those products."
Meanwhile, Microsoft will issue 10 security patches on Tuesday for flaws in Windows, Excel and Internet Explorer, six of which are rated as critical.
Microsoft will host a webcast to address customer questions on these bulletins on June 10th.
Adobe said it expects to deliver critical security updates for Adobe Reader and Acrobat versions 7.x, 8.x and 9.x for Windows and Macintosh, with Unix updates coming "when available."
The company said it would begin issuing quarterly patches to coincide with Microsoft's "patch Tuesday" after it came under intense criticism for its perceived lack of responsiveness to flaws in Reader and Acrobat.
Flaws in the software allowed hackers to remotely execute code as happened in February via a JBIG2 image file that unleashed a Trojan horse.
In a blog post last month, Adobe's security chief Brad Arkin said the company took the criticism to heart.
"The JBIG2 issue also sparked a lot of conversation internally at Adobe from executives to testers and developers," Arkin wrote. "What started out as a routine incident response expanded to a broader effort by Adobe Reader and Acrobat engineers, culminating in permanent changes to our software security approach for those products."
Meanwhile, Microsoft will issue 10 security patches on Tuesday for flaws in Windows, Excel and Internet Explorer, six of which are rated as critical.
Microsoft will host a webcast to address customer questions on these bulletins on June 10th.