Posts Tagged: IE zero day


14
Sep 16

Adobe, Microsoft Push Critical Updates

Adobe and Microsoft on Tuesday each issued updates to fix multiple critical security vulnerabilities in their software. Adobe pushed a patch that addresses 29 security holes in its widely-used Flash Player browser plug-in. Microsoft released some 14 patch bundles to correct at least 50 flaws in Windows and associated software, including a zero-day bug in Internet Explorer.

brokenwindowsHalf of the updates Microsoft released Tuesday earned the company’s most dire “critical” rating, meaning they could be exploited by malware or miscreants to install malicious software with no help from the user, save for maybe just visiting a hacked or booby-trapped Web site. Security firms Qualys and Shavlik have more granular writeups on the Microsoft patches.

Adobe’s advisory for this Flash Update is here. It brings Flash to v. 23.0.0.162 for Windows and Mac users. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. Continue reading →


1
May 14

Microsoft Issues Fix for IE Zero-Day, Includes XP Users

Microsoft has issued an emergency security update to fix a zer0-day vulnerability that is present in all versions of its Internet Explorer Web browser and that is actively being exploited. In an unexpected twist, the company says Windows XP users also will get the update, even though Microsoft officially ceased supporting XP last month.

IEwarning

The rushed patch comes less than five days after the software giant warned users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. This flaw can be used to silently install malicious software without any help from users, save for perhaps browsing to a hacked or malicious site.

“We have made the decision to issue a security update for Windows XP users,” writes Dustin C. Childs, group manager, response communications at Microsoft. “Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.”

Microsoft says the majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. Windows users who don’t take advantage of the automatic updates feature of Windows (or who don’t wish to wait around for it to install the patch) can do so by visiting Windows Update.


27
Apr 14

Microsoft Warns of Attacks on IE Zero-Day

Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site.

In an alert posted on Saturday, Microsoft said it is aware of  “limited, targeted attacks” against the vulnerability (CVE-2014-1776) so far.

Microsoft’s security advisory credits security firm FireEye with discovering the attack. In its own advisory, FireEye says the exploit currently is targeting IE9 through IE11 (although the weakness also is present in all earlier versions of IE going back to IE6), and that it leverages a well-known Flash exploitation technique to bypass security protections on Windows.

ie0daymitigationMicrosoft has not yet issued a stopgap “Fix-It” solution for this vulnerability. For now, it is urging IE users to download and install its Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help beef up security on Windows. Microsoft notes that EMET 3.0 doesn’t mitigate this attack, and that affected users should instead rely on EMET 4.1. I’ve reviewed the basics of EMET here. The latest versions of EMET are available here.

According to information shared by FireEye, the exploit also can be blocked by running Internet Explorer in “Enhanced Protected Mode” configuration and 64-bit process mode, which is available for IE10 and IE11 in the Internet Options settings as shown in the graphic above.

This is the first of many zero-day attacks and vulnerabilities that will never be fixed for Windows XP users. Microsoft last month shipped its final set of updates for XP. Unfortunately, many of the exploit mitigation techniques that EMET brings do not work in XP.


20
Feb 14

Adobe, Microsoft Push Fixes For 0-Day Threats

For the second time this month, Adobe has issued an emergency software update to fix a critical security flaw in its Flash Player software that attackers are already exploiting. Separately, Microsoft released a stopgap fix to address a critical bug in Internet Explorer versions 9 and 10 that is actively being exploited in the wild.

brokenflash-aThe vulnerabilities in both Flash and IE are critical, meaning users could get hacked just by visiting a compromised or booby-trapped Web site. The Flash patch comes just a little over two weeks after Adobe released a rush fix for another zero-day attack against Flash.

Adobe said in an advisory today that it is aware of an exploit that exists for one of three security holes that the company is plugging with this new release, which brings Flash Player to v. 12.0.0.70 for LinuxMac and Windows systems.

This link will tell you which version of Flash your browser has installed. IE10/IE11 and Chrome should auto-update their versions of Flash, although IE users may need to check with the Windows Update feature built into the operating system.

Continue reading →


8
Oct 13

Adobe, Microsoft Push Critical Security Fixes

Adobe and Microsoft today each issued software updates to fix critical security issues in their products. Microsoft released eight patch bundles to address 26 different vulnerabilities in Windows and other software – including not just one but two zero-day bugs in Internet Explorer. Adobe’s patches fix a single critical vulnerability present in both Adobe Acrobat and Reader.

crackedwinFour of the eight patch bulletins from Microsoft earned its most dire “critical” rating, meaning the updates fix problems deemed so severe that miscreants or malware could use them to break into vulnerable systems without any help from users. The patches impact a broad range of Microsoft products, including Windows, IE, SharePoint, .NET Framework, Office and Silverlight.

Front and center in the Microsoft patch batch is MS13-080, which addresses the zero-day IE vulnerability (CVE-2013-3893) that Microsoft first warned about on Sept. 17, as well as nine other security flaws in the default Windows Web browser. Amping up the threat level on this flaw, exploit code allowing attackers to leverage the flaw was released publicly last week as a module for the Metasploit exploit framework, a penetration testing toolkit.

Microsoft late last month released a stopgap “Fix It” solution to block exploits against the zero-day flaw, and the good news is that if you already applied that solution, you don’t need to undo those changes before applying this update. The bad news is that this isn’t the only zero-day vulnerability fixed in the IE patch bundle: Researchers at Trustwave Spiderlabs say they’ve confirmed that attackers are already exploiting one of the other flaws fixed in this IE update  (CVE-2013-3897).

Continue reading →


17
Sep 13

Microsoft: IE Zero Day Flaw Affects All Versions

Microsoft said today that attackers are exploiting a previously unknown, unpatched vulnerability in all supported versions of its Internet Explorer Web browser. The company said it is working on an official patch to plug the security hole, but in the meantime it has released a stopgap fix to help protect affected customers.

IEwarningMicrosoft said it is aware of targeted attacks that attempt to exploit the vulnerability (CVE-2013-3893) in IE 8 and IE 9 versions of the default Windows browser. According to an advisory issued today, the flaw is a remote code bug, which means malware or miscreants could use it install malware just by coaxing IE users to browse a hacked or malicious Web site.

The Fix It solution is available from this link. To apply it, click the Fix It icon above the Fix This Problem link. Applying this solution may limit some functionalities of IE, so if you run into problems after applying this interim patch, you can click the Fix It icon to the right of that “enable” button to reverse the update.

Update: As several readers have already noted in the comments, this Fix It solution is for 32-bit versions of IE only. In 64-bit Windows, you can tell whether the browser you’re using is a 32-bit or 64-bit version by opening the Windows Task Manager (Ctrl+Shift+Esc) and clicking the Processes tab. The number that appears after the process name (in this case, iexplore.exe) indicates the version in use.


14
May 13

Microsoft, Adobe Push Critical Security Updates

Microsoft and Adobe today each released updates to fix critical security holes in their software. Microsoft’s patch batch tackles at least 33 vulnerabilities in Windows and other products, including a fix for a zero-day vulnerability in Internet Explorer 8 that attackers have been exploiting. Separately, Adobe pushed security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

crackedwinMicrosoft’s Patch Tuesday bundle includes two separate updates for Internet Explorer; the first (MS13-037) is a cumulative update for Internet Explorer. The second is a fix (MS13-038) specifically for a critical bug in IE 8 that miscreants and malware have been using to break into Windows computers. Other, slightly less severe holes were fixed in Microsoft Publisher, Word, Visio and Windows Essentials.

Last week, Microsoft released a stopgap “Fix-it” tool to help blunt the threat from the IE8 zero-day flaw. If you installed that interim fix, Microsoft recommends taking a moment to disable it before applying today’s patches.

<soapbox>On a side note..Dear Microsoft: Please stop asking people to install Silverlight every time they visit a Microsoft.com property. I realize that Silverlight is a Microsoft product, but it really is not needed to view information about security updates. In keeping with the principle of reducing the attack surface of an operating system, you should not be foisting additional software on visitors who are coming to you for information on how to fix bugs and vulnerabilities in Microsoft products that they already have installed. </soapbox>

Silverlight required? C'mon, Microsoft!

Silverlight required? C’mon, Microsoft!

As it usually does on Microsoft’s Patch Tuesday, Adobe used the occasion to push its own security updates. A new version of Flash (v. 11.7.700.202 for Mac and Windows systems) fixes 13 vulnerabilities.  IE 10 and Google Chrome automatically update themselves to fix Flash flaws. This link should tell you which version of Flash your browser has installed. If your version of Chrome is not yet updated to v. 11.7.700.202, you may need to just restart the browser.

Continue reading →


14
Jan 13

Microsoft Issues Fix for Zero-Day IE Flaw

Microsoft today deviated from its usual monthly patch cycle in issuing an emergency security update to fix a critical security hole in its Internet Explorer Web browser that attackers have been exploiting to break into Windows PCs.

IEwarningThe update, MS13-008, addresses a single vulnerability in IE versions 6 through 8, and is available through Windows Update. The patch comes a little more than two weeks after security firms began seeing evidence that hackers were leveraging the vulnerability in targeted attacks. Microsoft maintains that it has seen only a limited number of attacks against the flaw, but acknowledged in a blog post that “the potential exists that more customers could be affected.”

Prior to today, Microsoft released a stopgap Fix It tool to help blunt attacks against the IE flaw. According to Microsoft, “if you previously applied the Fix it offered through the advisory, you do not need to uninstall it before applying the security update released today. However, the Fix it is no longer needed after the security update is installed, so we are recommending that you uninstall it after you have applied the update to your system.” Users who applied the Fix It solution can uninstall it by clicking the Fix It icon under the words “Disable MSHTML shim workaround” at this page.


8
Jan 13

Adobe, Microsoft Ship Critical Security Updates

Adobe and Microsoft today separately issued updates to fix critical security vulnerabilities in their products. Adobe pushed out fixes for security issues in Acrobat, Adobe Reader and its Flash Player plugin. Microsoft released seven patches addressing at least a dozen security holes in Windows and other software, although it failed to issue an official patch for a dangerous flaw in its Internet Explorer Web browser that attackers are now actively exploiting.

Two of the patches that Microsoft issued today earned a “critical” rating, signifying that these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. Microsoft called special attention to two critical bugs in its XML Core Services component; the company said it is likely that malware or miscreants will figure out a way to exploit these flaws in active attacks sometime within the next 30 days.

Unfortunately, Microsoft did not offer an official fix for a critical Windows flaw that malware and miscreants are already exploiting. In late December, Microsoft acknowledged that attackers were using a previously undocumented security hole in Internet Explorer versions 6 through 8 to break into Windows PCs. Microsoft later issued a stopgap “FixIt” tool to help lessen the vulnerability on affected systems, but researchers last week demonstrated that the FixIt tool only blocked some methods of attacking the flaw, leaving other ways unguarded. Meanwhile, a working copy of the exploit has been folded into Metasploit, a free penetration testing tool.

Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, said the zero-day IE vulnerability affects 90% of the IE install base at this time.

“Microsoft is not providing a patch today, though they have provided a Fix-It for the issue,” Kandek wrote in a blog post. “The vulnerability should be tracked closely, as a large percentage of enterprises still run the affected versions.”

Users who wish to continue browsing the Web with IE should upgrade to IE9 if possible (IE10 on Windows 8 also is not vulnerable). Users still on Windows XP will not be able to update to IE9, but may be able to derive some protection from the FixIt tool and by using Microsoft’s EMET tool. XP users may be better off, however, browsing with Firefox or Chrome with some type of script blocking and/or sandbox in place. More information on how to use EMET and script blocking options is available in my Tools for a Safer PC primer. More details about today’s updates from Microsoft can be found at the Microsoft Security Response Center blog and in the security bulletin summaries for each patch.

The Adobe Flash patch fixes at least one critical vulnerability in the media player plugin. Updates are available for all supported versions of Flash, including for Windows, Mac, Linux and Android. See the chart below for the latest version number broken down by operating system.

Continue reading →


21
Jan 10

Microsoft Issues Emergency Fix for IE Flaw

Microsoft has issued an emergency security update to plug a critical hole in its Internet Explorer Web browser. The IE bug is the same flaw that is being blamed in part for fueling a spate of recent break-ins at Fortune 100 companies, including Google and Adobe.

If you use Microsoft Windows, please take a moment now to update your computer. Updates are available for all supported versions of IE and Windows.  The easiest way to install the patch is through Windows Update.  Users who have Automatic Updates turned on may be prompted to download and apply this within the next 48 hours or so, but honestly this is the kind of bug you probably want to quash as soon as possible.

The reason is that this is a browse-to-a-hostile-site-and-quickly-have-a-bad-day kind of flaw. What’s more, Symantec is now reporting that it has discovered hundreds of malicious and/or hacked Web sites are now serving up code that exploits this flaw to download malicious software. While many of these sites are in China, that fact matters little because hackers can always stitch code into a hacked, legitimate site that quietly and invisibly pulls down exploits from other sites. Meanwhile, security firm Websense warns that the targeted e-mail attacks leveraging this flaw continue unabated.

When computer code that exploits this IE flaw was first posted online last week, Microsoft was quick to point out that it had only seen the code working reliably against IE6 users. However, researchers now claim that the exploit can also be made to work against IE7 and even IE8 — the latest version of IE that ships with Windows 7 systems.

The fixes included in this patch aren’t limited to the publicly disclosed flaw: Microsoft has addressed seven other vulnerabilities in this patch as well. More details about this specific update are available at this Microsoft Technet page.