A flaw in an Android open source web browsing app found on nearly half the active Android user base could potentially be used by malicious websites to steal user information. Reported by white-hat hacker Rafay Baloch earlier this month, this bug affects the Android Open Source Platform browser – also known as “Android Browser” – which was the default browser on all Android phones shipped prior to Android OS 4.2, when Google switched the default browser to Chrome. Even then, parts of Android Browser were still being used by other OS applications up until version 4.4, when Google swapped those parts out for Chromium ones. A survey of web browsers used shows that nearly half of all Android users may be using Android Browser actively, which could equate to nearly 40 million potential victims.
What this means for you:
Note that “Android Browser” (with capital B) is the actual name of this program, and should not be confused with the Chrome app, which is also an “Android browser” – as in it’s an app that lets you browse the internet on your Android device. If you still have the Android Browser app installed on your 4.X Android phone, you should replace it with Chrome. However, this may only solve part of the problem, as many other apps that have some form of internet browsing built into it may be using the flawed engine embedded inside the app itself, and there is no clear way to know for sure without asking the developer.
Now that Google has officially acknowledged the bug, a fix is supposedly in the works, but hasn’t said when it will release the update, which will have to be delivered as part of an OS update (ie. going from 4.3 to 4.4) and not throught Play Store. Also, it’s not clear whether that update will trickle down to the many apps that still use the engine to power their own embedded browsers. For now, stick to using Chrome, and be wary of apps that have built-in web browsing capabilities.
It’s nice that Microsoft can keep guys like me busy. Luckily, exploitation of their latest zero-day weakness seems to be limited (so far) to an advanced persistent threat (APT) attack targeting users of a specific national and international security policy website. This particular exploit is being delivered in a traditional “drive-by” attack when users of the English-version of Internet Explorer (specifically IE 7 and 8 on Windows XP, and IE 8 on Windows 7) visit this website. What distinguishes it from past threats is this malware’s ability to write malicious code directly to memory and then execute without writing to disk, a technique that makes detection and remediation much more difficult.
Microsoft intends to release a patch for this vulnerability as early as tomorrow (Nov 12). This is very fast for someone like Microsoft, and may be an indication of how serious this particular vulnerability might be.
What this means for you:
Though the exploit seems to be narrowly targeted at the moment, security researches say it wouldn’t be hard to manipulate the existing attack software to affect all versions of IE from 7 through 10, and any language in which IE is distributed. Assuming you have the leeway to do so, I still recommend using another browser like Chrome or Firefox, which still have a better track record when it comes to catching and patching weaknesses like the above. If you are required to use IE, make sure Windows Update is functional, and that you apply all critical and important updates as they are downloaded to your computer. Larger companies may control how frequently Windows Updates are applied in their enterprise, but don’t be afraid to ask your resident IT representative if they are taking steps to keep Internet Explorer safe for your use.
As predicted, the zero-day flaw in multiple versions of Microsoft’s web browser, Internet Explorer, is now being actively exploited by multiple APT (Advanced Persistent Threat) groups in attacks that are targeting large numbers of people. The most publicized and successful of these attacks have been focused on government websites. Their primary purpose: to install rootkits on government worker machines to facilitate access to confidential government documents. On top of the growing number of attacks leveraging this weakness, the Metasploit framework (an open source hacking tool used by security researchers and white-hat hackers) just released a module to the public that demonstrates how this security flaw can be used to hack IE, theoretically making it even easier for malicious agents to understand and develop their own exploits. Microsoft has yet to say when a patch will be released to fix this weakness, which affects just about every version of IE from 6 through 10.
What this means for you:
If you are using Internet Explorer, whether by corporate mandate or by choice, make sure you’ve applied Microsoft’s temporary fix, or ask your IT guy if they’ve distributed the fix throughout the company. If you work for the government, either as an employee or contractor, be extra wary of strange behavior on your computer, and ensure that your antimalware software is fully functional and up to date.
If you are using some other browser, you don’t have to worry about this particular exploit, but as always, remain ever vigilant and make sure your OS, software and antimalware are fully patched!
In case you were worried that Internet Explorer might be gaining ground as a secure web browser, security researchers have uncovered another zero-day vulnerability that is actively being exploited in version 8 and 9 of Internet Explorer. I’ll spare you the gory details but the gist of the hole is such that it can be exploited in a simple “drive-by” attack, and doesn’t even require interaction from the user. Sadly, this weakness seems to afflict all versions of Microsoft’s web browser, including the yet-to-be released version 11. Microsoft is aware of the issue, and is working to plug the hole, but could be weeks away from a formal fix.
What this means for you:
If you are using IE 8 (extremely likely if you are still using Windows XP), or IE 9 (also likely throughout much of the corporate world), there is a Microsoft Fixit that can be applied, and enterprise IT shops can address this centrally if they are running well-managed computer fleets. If you are leery of applying temporary patches and are not restricted to using Microsoft’s browser, you can give Chrome, Firefox or even Safari a try until Microsoft issues a formal patch for this exploit. At minimum, make sure your anti-malware is up to date and working, and watch carefully for suspicious behavior while surfing the internet, especially if you are visiting new/unfamiliar websites.
Hackers have compromised a Department of Energy website, leveraging a previously undiscovered security flaw in version 8 of Microsoft’s Internet Explorer. IE 8, which is now 2 versions back from Microsoft’s most recent release (v10), is used by almost a quarter of all Internet Explorer users, and is most commonly found on Windows XP computers. The “watering hole” style attack is thought to be the work of Chinese hackers based upon the malware used and the command and control protocols used. The hacked website is used by the DOE to disseminate information on radiation-based illnesses, leading analysts to believe that this was a targeted attack aimed at compromising the computers of government employees working with nuclear weapons and reactors, ostensibly for the purposes of gaining access to classified information and systems.
What this means for you:
This is the first instance of this particular exploit being discovered, but given the publicity and Microsoft’s well-known inertia in issuing security updates for it’s older products, there is a chance that if you are still using IE 8 you could be at risk. Microsoft recommends upgrading to a new version of Internet Explorer, but in the event that you are unable to upgrade due to your business requirements or application limitations, Microsoft has issued the following guidance for working around the security flaw until it can be patched:
- Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
- Add sites that you trust to the Internet Explorer Trusted sites zone to minimize prompt disruption
As I’m not a Microsoft employee, I can also recommend switching browsers to Chrome or Firefox. Both issue security updates much more rapidly, and though they are not free of security flaws and zero-day exploits, both browsers typically fair better than IE in terms of overall security strength.
Java’s recent security problems hasn’t stopped its smarmy practice of foisting the Ask-dot-com toolbar or McAfee’s Security Scanner on you every time you update Java. In case you didn’t notice, or were wondering how either of those products got installed on your computer, Java was the likely culprit. This wouldn’t be so bad, except the Java updater uses a trick called an “opt-out” checkbox which most people (who might be in too much of a hurry to get back to working|playing) just assume is part of the default Java update. If you actually look at what it’s asking you install, you’ll notice, “Hey, that’s not Java!”
What this means for you:
If you’ve been a diligent netizen, you probably heeded the countless warnings about the latest flaw in Java and updated it when Oracle released their patch last week. If you are a normal human being, you were probably frustrated with yet another series of dialog boxes filled with barely intelligible technobabble and progress meters creeping across the screen, and you might have accidentally left that checkbox checked, which means you are the proud new owner of a questionanbly useful toolbar from Ask-dot-com. Unless you’ve fallen in love with it (for some crazy reason), I’d recommend removing this software at once.
If you want to read more about why you should do this, have a look at the ZD Net article detailing Ask’s shady takeover of your browser. I’ve not had any personal experience with McAfee’s Security Scanner, but I’ve found just about all third-party browser security “scanners” to be at best, barely functional, and at worst, completely disruptive to normal, safe browsing. Let me know if you’ve had a positive experience with either product!
Carnegie Mellon University’s CERT and the Department of Homeland Security have issued a broad warning about using the latest version of the Java 7 plug-in for web browsers, and some browser manufacturers have already taken steps to disable Java application execution until the vulnerability can be fixed. The security flaw is already being exploited in the wild, and can be used to run malicious code without the victim’s permission or even awareness. Oracle is investigating, but has not indicated when the hole would be patched, aside from promising a fix “shortly.”
What this means for you:
Unless you have a really good reason to keep running it, you should probably disable Java until Oracle can fix this problem. Unlike other vulnerabilities that affect specific browsers (Internet Explorer has been notorious for flaws in the past), this particular problem affects all browsers that have a Java 7 plugin, including the Apple OS. Oracle has had problems in the past with providing quick patches for the Java platform, so until they do, the safest approach is to disable the plugin in your browser.
According to security firm Exodus, the patch to Internet Explorer 6, 7 and 8 released on December 31 only fixed one of several ways to exploit a weakness in Microsoft’s browser. In their research on this exploit, Exodus continued to develop more aggressive ways to exploit the documented weakness and in doing so, uncovered a means that bypasses Microsoft’s fix, but are witholding details from the public until Microsoft has a chance to address their findings. A number of human rights and government sites have been compromised with malware agents that exploit this weakness and appears to be part of a larger campaign by the “Elderwood Gang” – a highly effective and well-backed group of hackers that have been targeting high-profile government sites since 2009, ostensibly with financial and espionage-based goals.
What this means for you:
Internet Explorer 6, 7 and 8 are still considered vulnerable, though no one has documented any websites yet taking advantage of the exploits discovered by Exodus. The fact that there are still holes in IE browser security will not go unnoticed, and if Exodus can develop work-arounds for Microsoft’s patch, you can bet groups like “Elderwood” will be able to do the same, if they haven’t already. Your best short-term solution is to either use another browser like Chrome or Firefox until Microsoft can fully patch this weakness, or upgrade your Internet Explorer to version 9 or 10 as soon as possible. If you are working for an organization or using software that requires backward compatibility to IE 7 or 8, you should consider having a serious discussion with the IT department about their reasons for maintaining what is increasingly becoming an untenable stance. If you are required to use IE 6 for some unfathomable reason, you should stop what you are doing immediately and consult with an IT professional, as IE 6 is a magnet for security exploits.
It might be the last day of 2012, but there’s still time to issue yet another patch to fix a zero-day exploit in Microsoft Internet Explorer 6, 7 and 8. Confirmed on Saturday by Microsoft, this patch fixes a vulnerability in all versions of IE prior to v9 that may allow hackers to gain control over a victim’s machine. This latest weakness is likely to be exploited when a computer using one of the versions of the aforementioned browser visits a malicious website, allowing it to run code that can corrupt the memory on the victim’s computer and from there execute malicious code as the logged in user, potentially resulting in backdoor installations, malware infections, and zombification.
What this means for you:
It’s conceivable you are still running IE 8 which was released in 2011, so you may be affected by this weakness. If you are running IE7 or, impossibly, IE6 (it was released in 2001 – over 10 years ago!), I’d say you are better off upgrading to the latest version of IE you can reasonably run on your computer, and then making sure it is patched appropriately.
A recent study by security firm NSS Labs shows that Google’s Chrome browser still has the best detection rate (94%) for spotting phishing URLs, and on average, new malware sites are reported and blocked by all browsers within 5 hours of discovery, a significant improvement over the 16+ hours that same process would have taken in 2009. Firefox showed the best response time to reporting and blocking new sites at 2.3 hours – more than twice as quick as IE10.
What this means for you:
All of the major browsers have significantly improved their ability to protect users, to the point that there is very little statistical difference in their security capabilities. Many of my clients still ask me if one is better than the other, and the answer is always, “It depends on what you need the browser to do.” I still use Chrome for most of my work, but there are still enough times when I’m working with online apps that only work with Internet Explorer. The most important factor to consider is making sure whatever browser you do use is kept up to date, and that you practice safe and cautious surfing whenever working with unfamiliar websites.