Microsoft's latest Internet Explorer update, IE8 provides users with the best overall malware protection, according to the a recently released study from NSS Labs.
The study pitted IE 8 against the latest versions of Mozilla Firefox, Apple Safari, Google Chrome and Opera 10 and found that IE 8 does far more to weed out malicious software than its competition. NSS cited Microsoft's Smartscreen Filter, which compares URLs to known malicious web addresses and warns users whenever they come into contact to a potentially dangerous program, as the feature responsible for its superior security.
"Generally, at least half of a browser's total protection was achieved in the zero hour. But, Internet Explorer 8 continued to add as much as 30 percent of additional protection over the course of the test. Other browsers added between 2 percent and 14 percent over the course of the test," according to the study.
For Internet Explorer users who have still not updated to IE8, these latest results should be reason enough. In February, at the Black Hat DC Conference in Washington, D.C., Google demonstrated a hole in Internet Explorer 6 that is not present in IE8.
Tag Archives: Microsoft
IE8 best in web security
Filed under Security News
Tagged as best, Black Hat, IE8, Microsoft, NSS Labs, security, Smartscreen Filter, web
Tagged as best, Black Hat, IE8, Microsoft, NSS Labs, security, Smartscreen Filter, web
Microsoft Releases Security Advisory 980088
Filed under Security Advisories
Tagged as 980088, advisory, IE, Internet Explorer, Microsoft, protected mode, security, US-CERT
Tagged as 980088, advisory, IE, Internet Explorer, Microsoft, protected mode, security, US-CERT
Microsoft has released Security Advisory 980088 to alert users of a vulnerability in Microsoft Internet Explorer. The advisory indicates that exploitation of this vulnerability may allow an attacker to harvest user credentials and other sensitive information by enticing users to visit a maliciously crafted web page.
US-CERT encourages users and administrators to review Microsoft Security Advisory 980088 and apply the suggested workarounds of running Internet Explorer in Protected Mode and setting the Internet zone security setting to High to mitigate the risk of unwanted information disclosure.
US-CERT encourages users and administrators to review Microsoft Security Advisory 980088 and apply the suggested workarounds of running Internet Explorer in Protected Mode and setting the Internet zone security setting to High to mitigate the risk of unwanted information disclosure.
Cloud network security concerns prompt Microsoft to propose new laws
Filed under Security News
Tagged as cloud, Cloud Computing Advncement Act, Computer Fraud and Abuse Act, Congress, law, Microsoft, network, security
Tagged as cloud, Cloud Computing Advncement Act, Computer Fraud and Abuse Act, Congress, law, Microsoft, network, security
Microsoft's general counsel, Brad Smith, told an audience at the Brookings Institution today that the government should step in to regulate the emerging cloud computing industry and help protect businesses and consumers from fraud and abuse.
Smith said that the results of a survey it conducted recently found that 58 percent of the general public and 86 percent of industry leaders were "excited" at the prospect of cloud computing solutions, but that 90 percent of all respondents had serious concerns about security or privacy.
Smith proposed that Congress pass a Cloud Computing Advancement Act, which, he said, would give the government the necessary powers to address those concerns, as well as protect international sovereignty. He also called on senators and representatives to beef up the Computer Fraud and Abuse Act, to provide assistance to law enforcement efforts in the cloud.
Many experts agree that the cloud poses significant security challenges, due in part to its more open nature and in part to the growing organization and sophistication of the latest generation of cyber criminals.
Smith said that the results of a survey it conducted recently found that 58 percent of the general public and 86 percent of industry leaders were "excited" at the prospect of cloud computing solutions, but that 90 percent of all respondents had serious concerns about security or privacy.
Smith proposed that Congress pass a Cloud Computing Advancement Act, which, he said, would give the government the necessary powers to address those concerns, as well as protect international sovereignty. He also called on senators and representatives to beef up the Computer Fraud and Abuse Act, to provide assistance to law enforcement efforts in the cloud.
Many experts agree that the cloud poses significant security challenges, due in part to its more open nature and in part to the growing organization and sophistication of the latest generation of cyber criminals.
Microsoft denies that Internet Information Services is vulnerable to attack
Responding to allegations of security vulnerabilities in its Internet Information Services infrastructure, Microsoft yesterday released a blog post, detailing its investigation into the product and its conclusions that there was no inherent vulnerability.
The problem, Microsoft said, lies with the users and not with the program itself. IIS is vulnerable to exploitation by spyware and malware when configured to allow read and write access on the same directory, but this is not the way it is configured by default, and Microsoft says that it specifically warns users against setting up IIS in this way.
However, if the read and write access were insecurely configured, hackers could take advantage of a flaw in the way the program understands semicolons in URLs and execute code remotely on IIS machines. Researcher Soroush Dalili's paper publicized the supposed flaw, but did not say which active web applications were vulnerable to its exploitation, citing security concerns.
Microsoft has patched a number of serious vulnerabilities in its products of late, including Windows 7 and the Office productivity suite.
The problem, Microsoft said, lies with the users and not with the program itself. IIS is vulnerable to exploitation by spyware and malware when configured to allow read and write access on the same directory, but this is not the way it is configured by default, and Microsoft says that it specifically warns users against setting up IIS in this way.
However, if the read and write access were insecurely configured, hackers could take advantage of a flaw in the way the program understands semicolons in URLs and execute code remotely on IIS machines. Researcher Soroush Dalili's paper publicized the supposed flaw, but did not say which active web applications were vulnerable to its exploitation, citing security concerns.
Microsoft has patched a number of serious vulnerabilities in its products of late, including Windows 7 and the Office productivity suite.
Has Microsoft pointed hackers to a way around anti-virus software?
Filed under Security News
Tagged as anti-virus, David Sancho, folders, malware, Microsoft, Sancho, software, system, Trend Micro, whitelist
Tagged as anti-virus, David Sancho, folders, malware, Microsoft, Sancho, software, system, Trend Micro, whitelist
The recent release of a "whitelist," detailing system folders that Microsoft says do not need to be scanned by anti-virus software, has caused a minor controversy in the world of computer security, with some experts saying that the software giant has showed potential malware pushers an easy way to circumvent anti-virus protection.
Security researcher David Sancho, writing on Trend Micro's company blog, warns that publicizing these virus scanning tips may have offered a target to would-be cyber criminals. Sancho says that, although excluding the files and folders in question - related to Windows Update and Group Policy - makes sense for users looking to minimize the performance hit caused by anti-virus software, making the recommendations public knowledge was an unnecessary risk.
The point, according to Sancho and others, is that the public recommendation by a trusted source like Microsoft is likely to cause numerous users to follow the advice and remove the anti-virus protection for the files and folders. While malware writers have not yet targeted those files and folders specifically, Microsoft's recommendation amounts to an open invitation to do so, experts say.
Novice users should not attempt to alter the relevant anti-virus settings, according to experts.
Security researcher David Sancho, writing on Trend Micro's company blog, warns that publicizing these virus scanning tips may have offered a target to would-be cyber criminals. Sancho says that, although excluding the files and folders in question - related to Windows Update and Group Policy - makes sense for users looking to minimize the performance hit caused by anti-virus software, making the recommendations public knowledge was an unnecessary risk.
The point, according to Sancho and others, is that the public recommendation by a trusted source like Microsoft is likely to cause numerous users to follow the advice and remove the anti-virus protection for the files and folders. While malware writers have not yet targeted those files and folders specifically, Microsoft's recommendation amounts to an open invitation to do so, experts say.
Novice users should not attempt to alter the relevant anti-virus settings, according to experts.
Microsoft counts Chrome coup with discovery of security flaw
Security researchers at Microsoft recently discovered a security vulnerability in Google's controversial Chrome Frame for Internet Explorer, a browser plug-in that simulates Chrome functionality within an Internet Explorer session.
The vulnerability, which was fixed by Google in a patch pushed out on Wednesday, could have been used to design a cross-origin bypass to gain unauthorized access to the systems on which Chrome Frame was running, although Google says that it was unaware of any active exploits and that the vulnerability would not have allowed "persistent" malware access.
Chrome Frame has been a thorn in the side of Microsoft since its release, with the Redmond giant saying that it made Internet Explorer users less secure while browsing. Until this vulnerability was discovered, however, the company had no evidence of any insecurity.
Chrome Frame's silent, automatic update - a common feature of Google products - has also drawn fire, with critics saying that the company violates its customers' right to control what software is installed on their PCs. Google has responded by asserting that the automatic patching ensures that all users are protected against the latest threats.
The vulnerability, which was fixed by Google in a patch pushed out on Wednesday, could have been used to design a cross-origin bypass to gain unauthorized access to the systems on which Chrome Frame was running, although Google says that it was unaware of any active exploits and that the vulnerability would not have allowed "persistent" malware access.
Chrome Frame has been a thorn in the side of Microsoft since its release, with the Redmond giant saying that it made Internet Explorer users less secure while browsing. Until this vulnerability was discovered, however, the company had no evidence of any insecurity.
Chrome Frame's silent, automatic update - a common feature of Google products - has also drawn fire, with critics saying that the company violates its customers' right to control what software is installed on their PCs. Google has responded by asserting that the automatic patching ensures that all users are protected against the latest threats.
Windows 7 zero-day exploit story keeps getting grimmer
Filed under Security News
Tagged as 135, 445, Critical, exploit, Microsoft, SMB, vulnerability, Windows 7, Windows Server 2008, zero-day
Tagged as 135, 445, Critical, exploit, Microsoft, SMB, vulnerability, Windows 7, Windows Server 2008, zero-day
A new security advisory issued by Microsoft confirms independent findings about a critical security vulnerability in Windows 7, and offers advice to users who might be affected by the exploit.
The flaw is one of several that have been discovered in Microsoft's Server Message Block architecture, and well-designed exploit code could allow hackers to remotely crash affected computers via denial-of-service attacks.
Microsoft advised users of affected machines to block TCP ports 139 and 445 at the firewall, and cut off the SMB system's access to the internet until a patch can be produced and distributed. Windows 7 and Windows Server 2008 R2 are said to be vulnerable to the exploit, which could potentially be spread via malicious web pages and Microsoft Office documents.
However, the company strongly criticized the security researcher who publicized the exploit, calling the public disclosure of an important security flaw "irresponsible" and urging users to report vulnerabilities directly to the company in the future. Laurent Gaffie told ZDNet that he publicized the information due to what he characterized as a lackadaisical Microsoft response to an unrelated security flaw, which is also unpatched.
The flaw is one of several that have been discovered in Microsoft's Server Message Block architecture, and well-designed exploit code could allow hackers to remotely crash affected computers via denial-of-service attacks.
Microsoft advised users of affected machines to block TCP ports 139 and 445 at the firewall, and cut off the SMB system's access to the internet until a patch can be produced and distributed. Windows 7 and Windows Server 2008 R2 are said to be vulnerable to the exploit, which could potentially be spread via malicious web pages and Microsoft Office documents.
However, the company strongly criticized the security researcher who publicized the exploit, calling the public disclosure of an important security flaw "irresponsible" and urging users to report vulnerabilities directly to the company in the future. Laurent Gaffie told ZDNet that he publicized the information due to what he characterized as a lackadaisical Microsoft response to an unrelated security flaw, which is also unpatched.
Microsoft issues Internet Explorer security update
Filed under Security News
Tagged as bug, IE, Internet Explorer, Microsoft, MS09-054, security, update
Tagged as bug, IE, Internet Explorer, Microsoft, MS09-054, security, update
Microsoft on Monday issued a security bulletin that updates a previous patch for Internet Explorer to resolve two issues. The IE bug only affects users who already applied the earlier patch.
Microsoft announced yesterday at the Microsoft Security Response Center that the security update MS09-054 released as part of the October Security Bulletin Release was causing errors in certain browsing scenarios.
The company said it is "not currently aware of any attempts to attack the vulnerabilities."
The MS09-054 bulletin is a fix rated critical for all Windows users. The bulletin addressed three flaws in all versions of IE and also an attack vector in the Firefox web browser for users with the Windows Presentation Foundation (WPF) plugin enabled.
Microsoft said users who have not applied the patch MS09-054 should first apply that fix before applying the fix from bulletin 976749.
The prior bulletin caused some confusion for Firefox maker Mozilla, which decided to block the Microsoft WPF add-on along with another .NET Framework Assistant add-on. Mozilla later unblocked the .NET Framework add-on within Firefox.
Microsoft announced yesterday at the Microsoft Security Response Center that the security update MS09-054 released as part of the October Security Bulletin Release was causing errors in certain browsing scenarios.
The company said it is "not currently aware of any attempts to attack the vulnerabilities."
The MS09-054 bulletin is a fix rated critical for all Windows users. The bulletin addressed three flaws in all versions of IE and also an attack vector in the Firefox web browser for users with the Windows Presentation Foundation (WPF) plugin enabled.
Microsoft said users who have not applied the patch MS09-054 should first apply that fix before applying the fix from bulletin 976749.
The prior bulletin caused some confusion for Firefox maker Mozilla, which decided to block the Microsoft WPF add-on along with another .NET Framework Assistant add-on. Mozilla later unblocked the .NET Framework add-on within Firefox.
Mozilla and Microsoft tangle on Firefox plug-in security
Microsoft and Mozilla got their signals crossed last week over a Windows plug-in called .NET Framework Assistant included by Microsoft in the Firefox browser for activation of add-on programs. Mozilla is blocking one vulnerable Microsoft add-on and blocked then unblocked another.
On Friday, Mozilla blocked the .NET Framework Assistant add-on for Firefox 3.5, citing difficulties some users had entirely removing the add-on, "and because of the severity of the risk it represents if not disabled," according to Mike Shaver, Mozilla's vice president of engineering, on the Mozilla security blog.
Shaver said Mozilla contacted Microsoft "to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism," according to the blog post. But on Sunday, Mozilla was trying to unblock the add-on for .NET Framework Assistant, as Shaver said the add-on did not pose a security vulnerability.
"We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we've removed it from the blocklist," Shaver said in his blog.
But a separate vulnerability exists for a Microsoft add-on that Mozilla said needs blocking for Firefox users. The vulnerability exists in the Windows Presentation Foundation (WPF), which is included in the .NET Framework Service Pack 1. Shaver said via Twitter that the "WPF plugin is the vector for the XBAP vuln via Firefox."
On Friday, Mozilla blocked the .NET Framework Assistant add-on for Firefox 3.5, citing difficulties some users had entirely removing the add-on, "and because of the severity of the risk it represents if not disabled," according to Mike Shaver, Mozilla's vice president of engineering, on the Mozilla security blog.
Shaver said Mozilla contacted Microsoft "to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism," according to the blog post. But on Sunday, Mozilla was trying to unblock the add-on for .NET Framework Assistant, as Shaver said the add-on did not pose a security vulnerability.
"We received confirmation from Microsoft this evening that the Framework Assistant add-on is not a mechanism for exploiting the vulnerabilities detailed in the earlier post, so we've removed it from the blocklist," Shaver said in his blog.
But a separate vulnerability exists for a Microsoft add-on that Mozilla said needs blocking for Firefox users. The vulnerability exists in the Windows Presentation Foundation (WPF), which is included in the .NET Framework Service Pack 1. Shaver said via Twitter that the "WPF plugin is the vector for the XBAP vuln via Firefox."
Microsoft wants web developers to support IE 8
Filed under Security News
Tagged as comply, developers, IE 8, Internet Explorer, Microsoft, standards
Tagged as comply, developers, IE 8, Internet Explorer, Microsoft, standards
Microsoft's web development team is reaching out to web developers to help websites support Internet Explorer versions 6,7 and 8.
IE 8, the latest version of the Windows web browser, is compliant with web standards, according to Microsoft's Steve Guttman of the Expression Web team. Expression Web created a free web tool, SuperPreview, for developers.
"Internet Explorer 8 is an important release because it reconfirms Microsoft's commitment to interoperability and renewed emphasis on Web Standards," Guttman said on the IE blog.
Guttman said his team is in the process of doing significant tooling to support existing and emerging specifications.
Expression web "helps developers and site owners in migrating their sites from earlier versions of Internet Explorer to the standards-compliant Internet Explorer 8," Guttman said.
The full version of SuperPreview also supports Firefox and ships with Expression Web 3.
Web developers are locked in a battle over different versions of web browsers and website development standards. The next version of the core language of the web is HTML5.
The current browser war pits IE against open source browsers like Firefox and Chrome. Microsoft's IE 8 recently beat the others in a lab test the company sponsored of web browser performance against websites containing malware.
IE 8, the latest version of the Windows web browser, is compliant with web standards, according to Microsoft's Steve Guttman of the Expression Web team. Expression Web created a free web tool, SuperPreview, for developers.
"Internet Explorer 8 is an important release because it reconfirms Microsoft's commitment to interoperability and renewed emphasis on Web Standards," Guttman said on the IE blog.
Guttman said his team is in the process of doing significant tooling to support existing and emerging specifications.
Expression web "helps developers and site owners in migrating their sites from earlier versions of Internet Explorer to the standards-compliant Internet Explorer 8," Guttman said.
The full version of SuperPreview also supports Firefox and ships with Expression Web 3.
Web developers are locked in a battle over different versions of web browsers and website development standards. The next version of the core language of the web is HTML5.
The current browser war pits IE against open source browsers like Firefox and Chrome. Microsoft's IE 8 recently beat the others in a lab test the company sponsored of web browser performance against websites containing malware.