Microsoft Issues Emergency Security Patch For IE

Source: washingtonpost.com

Tuesday, December 16, 2008; 6:19 PM

Microsoft will issue an emergency security patch Wednesday for all versions of Internet Explorer. The patch is considered a critical fix for the security flaw currently plaguing the IE browser. So far, more than 2 million computers are believed to have been infected.


An advance notification of the patch published Tuesday describes it as protection for a "remote code execution" vulnerability. The move follows Microsoft's security advisory posted last Wednesday and updated Monday explaining the vulnerability and suggesting temporary "workarounds" for protection.


The flaw can be used to let attackers steal personal data such as passwords if a user visits a compromised Web site, of which at least 10,000 are thought to already exist. Thus far, the vulnerability has been used primarily for grabbing gaming passwords for black market sales. The hole could, however, potentially also be used to steal more sensitive information such as banking passwords and other private information.

Some security analysts had gone as far as to suggest all IE users switch to a competing browser until Microsoft found a suitable fix.


Microsoft's emergency security patch will become available Wednesday at 1 p.m. EST at the Microsoft Update site as well as at the Microsoft Download Center. All users of IE5, 6, and 7 are advised to install it. A separate patch is expected to be made available for users of IE8 Beta 2. Expect to see far more detail by midday Wednesday when Microsoft officially issues its security bulletin.



Read more: http://www.washingtonpost.com/wp-dyn/content/article/2008/12/16/AR2008121602378.html

---

Firefox tops list of 12 most vulnerable apps
Posted by Ryan Naraine @ 10:41 am

Mozilla’s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.

According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008. These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs. Here’s Bit9’s dirty dozen:


Mozilla Firefox: In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.

Adobe Flash and Adobe Acrobat: Bit9 listed 14 flaws patched this year that exposed desktops of arbitrary remote code execution via buffer overflow,“input validation issues” and malformed parameters.

more.....

http://blogs.zdnet.com/security/?p=2304

will this patch introduce?

So fix that pointer reference and the problem is gone. Doubt it's going to affect much if anything else, but if it does it will be fixed in the next patch cycle

the issue by telling users to switch to Firefox until Microsoft patches it. Microsoft releases patches every Tuesday, in order to perform extensive user testing to make sure it's not going to break anything else. If it's extremely critical, they release an out-of-cycle emergency patch to plug the hole. I'm sure there will be another following in a week that will fix any issues caused by this.

All browsers have bugs and vulnerabilities. Microsoft and Firefox are both fairly equal at this point in fixing the flaws in a timely manner. Bugs and vulnerabilities are a part of any software. This one isn't even all that severe.

From the security bulletin:
•Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.
•By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

So, the recommended configuration of Vista of having UAC enabled in Vista limits it's ability to screw with your stuff. Those are default options of Vista. So basically it could screw with the stuff in your user folder/user registry. Whoop-de-frickin-doo. That's what backups are for, which EVERYONE should have anyway. And if you have Protected Mode on (which is default) in IE7, then it can only screw with IE itself.

This is a pussy little trojan compared to most, and the security analysts suggesting to switch browsers are complete fear mongering.

would never ever sensationalize a story
:sarcasm:

Not in a million years!

i guess that keeps folks like me in business though ;)

StudsT

It's free, and more secure than other browsers.

Why people are still using that piece of crap Internet Explorer is beyond me....

and most companies use Windows, because that's all they know and that's all they are willing to know. So, their IT departments do what the boss says, and everyone uses nothing but MS products, no matter what the vulnerabilities are. Plus, it keeps IT busy and in need. Otherwise, how much work or justification to exist would IT have? ;)

I do agree, though: Use Opera!
Firefox and all the rest just copied Opera to begin with. How Firefox got so popular, I don't know. Opera has been the best browser and the most secure for ages :D

Source: SkyNews

Microsoft will rush out an emergency fix for its Internet Explorer (IE) software after the discovery of a flaw which allows hackers to take over PCs. Skip related content

The company says a patch for the web browser will be released today - rather than wait for its regular security update next month.

The flaw was discovered last week and attacks were "spreading like wildfire", according to software security firm Trend Micro.

"When the patch is released people should run, not walk, to get it installed," said Trend Micro researcher Paul Ferguson.



Read more: http://uk.news.yahoo.com/5/20081217/twl-microsoft-scrambles-to-fix-flaw-3fd0ae9.html

---

...sigh...

monopolize the market share in OSes.

IE sucks anyhow. I'm so thankful I don't have to use it. I keep the Firefox installer on my jump drive. :D

using a flawed and crappy product without having to ever worry about whether it works right or is secure when they release it on an unsuspecting public.

No other industry is allowed to market such a flawed product.

Monopoly is not a good idea.

:hi:

And Monsanto, they never released anything that wasn't tested beyond belief...

-Hoot

Just in case... :sarcasm:

I just look at this stuff and shrug. I'd recommend Linux to anyone here, just on ideological grounds. Linux is free and is open-source (open to anyone who cares to look), whereas Windows is a pile of corparatist crap, and the code is closed off and hidden. The choice seems clear.

Rated by one company, with an interest in selling you their 'lock your users in a small box' tech.

I have my doubts.