Advertisement
<a href="http://krebsonsecurity.com/critical-security-updates-from-microsoft-apple/?administer_redirect_13=http://abaca.com/free_trial.html"><img src="/a-ab/missing.gif" /></a>
  • About the Author
  • About this Blog

    • Posts Tagged: internet explorer

    Latest Warnings / Time to PatchComments Off
    11
    Oct 11

    Critical Security Updates from Microsoft, Apple

    Microsoft and Apple today released security updates to fix a slew of critical security problems in their software. Microsoft’s patch batch fixes at least 23 vulnerabilities in Windows and other Microsoft products. Apple’s update addresses more than 75 security flaws in the Windows versions of iTunes.

    Nine of the 23 flaws Microsoft fixed with patches today are rated “critical,” meaning attackers could exploit them to break into vulnerable systems with little or no help from users. Eight of the nine critical bugs are in Internet Explorer. The remaining critical flaw is corrected in an update for the .NET Framework. Three of the vulnerabilities fixed with these updates were disclosed publicly prior to today, including a flaw in Windows Media Center that Microsoft believes crooks are likely to soon figure out how to reliably exploit.

    The iTunes update brings the music player software to version 10.5, and is available for Microsoft systems running Windows 7, Vista, XP SP2 and later. Two new features of iTunes deserve mentioning: Apple says iPhone and iPad users who upgrade to iOS 5 when it is released later this week will be able to sync with iTunes wirelessly. More importantly from an update perspective, Apple has at long last untethered iTunes from QuickTime.

    Continue reading →

    Time to Patch19 Comments
    15
    Jun 11

    Microsoft Patches Fix 34 Security Flaws

    Microsoft on Tuesday released 16 software updates to fix at least 34 security vulnerabilities in its Windows operating systems and other software. More than half of the updates address flaws Microsoft rates “critical,” meaning the bugs can be exploited with little to no user interaction.

    For organizations that need to test patches before deploying them, Microsoft said four of the updates deserve priority:

    • MS11-042 (DFS). This bulletin resolves two privately reported issues affecting all versions of Windows.
    • MS11-043 (SMB Client). This bulletin resolves one privately reported issue affecting all versions of SMB Client on Windows.
    • MS11-050 (Internet Explorer). This security bulletin resolves 11 privately reported issues in Internet Explorer.
    • MS11-052 (Windows). This bulletin resolves one privately reported issue in Windows and is also Critical.

    Another update, labeled “important,” fixes at least eight security problems in all versions of Microsoft Excel, including Office for Mac.

    More information on this week’s updates is available at this summary. Updates are available from Windows Update and via Automatic Updates. You may want to set aside some time for this update package: Among the critical patches is an update for Microsoft’s .NET software, and .NET updates are typically bulky. If you experience problems after applying any of the updates, please leave a note about it in the comments below.

    Time to Patch43 Comments
    14
    Jun 11

    Adobe Ships Security Patches, Auto-Update Feature

    Adobe today issued more than a dozen security updates for its Acrobat and PDF Reader programs, including a feature update that will install future Reader security updates automatically. In addition, Adobe has shipped yet another version of its Flash Player software to fix a critical security flaw.

    No doubt some will quibble with Adobe’s move toward auto-updating Reader: There is always a contingent in the user community who fear automatic updates will at some point force a faulty patch. But for better or worse, Adobe’s Reader software is the PDF reader software of choice for a majority of Windows computers in use today. Faced with incessant malware attacks against outdated versions of these programs, it seems irresponsible for Adobe to do anything other than offer auto-update capability to to Reader users more aggressively.

    Adobe debuted this feature in April 2010, but at that the time Adobe decided to continue to honor whatever update option users had selected (the default has always been “download all updates automatically and notify me when they are ready to be installed”). With this latest update, Adobe will again prompt users to approve an auto-update choice, except this time the option pre-selected will be “Install Updates Automatically.”

    Continue reading →

    Latest Warnings / Security Tools38 Comments
    25
    May 11

    Blocking JavaScript in the Browser

    Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser.

    It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

    Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

    The NoScript extension makes it easy to place or remove these restrictions on a site-by-site basis, but a novice user may need some practice to get the hang of doing this smoothly. For instance, it’s not uncommon when you’re shopping online to come across a site that won’t let you submit data without fully allowing JavaScript. Then, when you enable scripting so that you can submit your address and payment information, the page often will reload and clear all of the form data you’ve already supplied, forcing you to start over. Also, many sites host content from multiple third-party sites, and users who prefer to selectively enable scripts may find it challenging to discover which scripts need to be enabled for the site to work properly.

    Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted.

    Continue reading →

    Latest Warnings / Time to Patch48 Comments
    13
    May 11

    Critical Flash Player Update Plugs 11 Holes

    Adobe has released another batch of security updates for its ubiquitous Flash Player software. This “critical” patch fixes at least 11 vulnerabilities, including one that reports suggest is being exploited in targeted email attacks.

    In the advisory that accompanies this update, Adobe said “there are reports of malware attempting to exploit one of the vulnerabilities, CVE-2011-0627, in the wild via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. However, to date, Adobe has not obtained a sample that successfully completes an attack.”

    The vulnerabilities exist in Flash versions 10.2.159.1 and earlier for Windows, Mac, Linux and Solaris. To learn which version of Flash you have, visit this link. The new version for most platforms is 10.3.181.14; Android users should upgrade to Flash Player 10.3.185.21 available by browsing to the Android Marketplace on an Android phone; Google appears to have updated Chrome users automatically with this version of Flash back on May 6 (Chrome versions 11.0.696.68 and later have the newest Flash version).

    Continue reading →

    Security Tools41 Comments
    30
    Mar 11

    Test Your Browser’s Patch Status

    With new security updates from vendors like Adobe, Apple and Java coming out on a near-monthly basis, keeping your Web browser patched against the latest threats can be an arduous, worrisome chore. But a new browser plug-in from security firm Qualys makes it quick and painless to identify and patch outdated browser components.

    Qualys Browser Check plug-inThe Qualys BrowserCheck plug-in works across multiple browsers — including Internet Explorer, Firefox, Chrome and Opera, on multiple operating systems. Install the plug-in, restart the browser, click the blue “Scan Now” button, and the results should let you know if there are any security or stability updates available for your installed plug-ins (a list of the plug-ins and add-ons that this program can check is available here). Clicking the blue “Fix It” button next to each action item listed fetches the appropriate installer from the vendor’s site and prompts you to download and install it. Re-scan as needed until the browser plug-ins are up to date.

    Secunia has long had a very similar capability built into its free Personal Software Inspector program, but I realize not everyone wants to install a new program + Windows service to stay abreast of the latest patches (Secunia also offers a Web-based scan, but it requires Java, a plug-in that I have urged users to ditch if possible). The nice thing about Qualys’ plug-in approach is that it works not only on Windows, but also on Mac and Linux machines. On Windows 64-bit systems, only the 32-bit version of Internet Explorer is supported, and the plug-in thankfully nudges IE6 and IE7 users to upgrade to at least IE8.

    Having the latest browser updates in one, easy-to-manage page is nice, but remember that the installers you download may by default come with additional programs bundled by the various plug-in makers. For example, when I updated Adobe’s Shockwave player on my test machine, the option to install  Registry Mechanic was pre-checked. The same thing happened when I went to update my Foxit Reader plug-in, which wanted to set Ask.com as my default search provider, set ask.com as my home page, and have the Foxit toolbar added.

    Latest Warnings / The Coming Storm24 Comments
    14
    Mar 11

    Adobe: Attacks on Flash Player Flaw

    Adobe warned today attackers are exploiting a previously unknown security flaw in all supported versions of its Flash Player software. The company said the same vulnerability exists in Adobe Reader and Acrobat, but that it hasn’t yet seen attacks targeting the flaw in those programs.

    In an advisory released today, Adobe said malicious hackers were exploiting a critical security hole in Flash (up to and including the latest version of Flash. The software maker warned the vulnerability also exists in Adobe Flash player 10.2.152.33 and earlier versions for Windows, Mac, Linux and Solaris operating systems (10.2.154.13 and earlier for Chrome users), Flash Player 101.106.16 and earlier for Android. In addition, Adobe believes the bug lives in the “authplay.dll” component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Mac systems.

    Adobe warns that the security hole is currently being exploited via Flash (.swf) files embedded in a Microsoft Excel document delivered as an email attachment. Why someone would need to embed a Flash file in an Excel document is anyone’s guess.

    Continue reading →

    Other20 Comments
    28
    Jan 11

    Microsoft: Exploit Published for Windows Flaw

    Microsoft warned today that hackers have published instructions for attacking a previously unknown security hole in all versions of Windows that could be exploited to siphon user data or trick users into installing malicious code.

    Redmond published an advisory about a vulnerability in the way Windows handles MHTML code that could let attackers run Javascript code if the user is browsing a malicious site using Internet Explorer. As Wolfgang Kandek, chief technology officer at Qualys notes, that means that IE is the only known exploit vehicle for this flaw, and that other browsers such as Firefox and Chrome are not affected in their default configuration because they don’t support MHTML without the installation of specific add-ons.

    Microsoft said it may issue a patch to fix the flaw, but that in the meantime IE users who are concerned about this threat can use a supplied “FixIt” tool to help shore up the way Windows handles MHTML documents. The enable that fix, visit this link and click the FixIt icon.

    Security Tools / Time to Patch12 Comments
    11
    Jan 11

    Microsoft Plugs Three Windows Security Holes

    Microsoft today released security updates to fix at least three vulnerabilities in its Windows operating systems, including one labeled “critical,” the company’s most serious rating. However, none of the patches address five zero-day flaws that can be used to attack Windows users.

    The critical update targets two weaknesses present in all versions of Windows that Microsoft said hackers could exploit to break into unpatched systems just by getting users to visit a compromised or malicious Web site. A second update fixes a security issue in the Windows backup tool that affects Windows Vista machines.

    The vulnerability in the Windows backup tool stems from a weakness that extends to hundreds of third-party, non-Microsoft applications built to run on Windows. I discussed this issue at length in a blog post in September, but the upshot is that Microsoft has made available a FixIt tool to help fortify a number of these applications against a broad swath of security threats that stem from a mix of insecure default behaviors in Windows and poorly-written third party apps. If you haven’t already done so, take a moment to read at least the short version of that post, and apply the supplied FixIt tool from Microsoft.

    Continue reading →

    Latest Warnings25 Comments
    4
    Jan 11

    Microsoft Warns of Image Problem

    Microsoft today warned Windows users about a previously unknown security vulnerability that could allow attackers to install malware simply by getting users to view a malicious image in a Web browser or document.

    Microsoft said in a security advisory that the problem stems from a bug in the Windows Graphics Rendering Engine on Vista, Server 2003, and Windows XP. The software giant said that it is working on a patch for the flaw, but that it isn’t aware of any active attacks exploiting the security hole…yet.

    According to the CVE listing cited in the advisory, the vulnerability was discovered by a pair of security researchers who presented their findings at a security conference in Korea late last year.

    Continue reading →

    ← Older Entries