Back in 2014 Microsoft announced that in 18 months it would cease to support older versions of Internet Explorer on currently supported operating system platforms. As of January 12th, Microsoft is making good on that promise and will only support the latest version of its web browser on supported OS’es. You might think that this will mean less zero-day exploits of older versions of IE (one of the biggest security risks to date) because people will be forced to abandon the older browsers, but not so fast! Microsoft is trapped within their own doublespeak, and the catch is “lastest version of IE released on a particular supported platform”.
What on earth does that mean?
If you happened to only skim (instead of read) their 2014 announcement or the news stories released this week about this new policy, you might have come away with the impression that Microsoft was finally dropping support for older versions of IE, namely 6, 7, 8, 9 and 10. Depending on your business need, this may have been cause for celebration or hair pulling, but a slightly deeper dive on this tells a less draconian tale. In a nutshell, depending on the operating system, some older versions will still be getting patched and updated, but only because the newer versions of IE were never officially released on a particular OS. Still confused? That’s OK, it’s Microsoft, so just shrug and take away the following:
- Microsoft will still be patching older versions of Internet Explorer as far back as version 7, but…
- Patches for versions 7-9 are likely to be hard to get, if not near impossible for normal consumers.
- Don’t use older versions of IE unless you have a compelling business restriction that prevents the use of IE 11.
- Businesses relying on websites that require the use of older versions of IE should be upgraded ASAP. You are putting your employees/clients/customers in danger.
- Remember #3? If you have to use Internet Explorer, you should be using version 11. It has competent backwards-compatibility capabilities that should work with websites that require older versions of IE to function.
Under the auspice of saving battery life on laptops, Google just made good on their promise in June of this year to pause Flash elements on webpages loaded in their browser, Chrome. Though they don’t outright name what elements they are targeting *cough* advertising *cough*, as of September 1, Chrome will, by default, no longer autoplay Flash-based media on any page. If you want to punch that monkey to win a prize, you will have to click on the advertisement to get it to dance around on your screen. Now before you break out the champagne, this certainly doesn’t mean the end of web advertising by any stretch of the imagination – many of the ads you see are HTML5-based (including Google’s own AdWords platform) – but seeing as Chrome has 50% of the browser marketshare, it’s a safe bet that many, many advertisers will stop using Flash as a delivery mechanism, and given Flash’s long history of security weaknesses, this is a good thing.
What this means for you:
If you’re using Chrome as your main web browser, make sure it’s updated to the latest version, and start breathing the Flash-paused air. Firefox users have been enjoying this particular state for a little while now, as Mozilla put Flash in permanent time-out last month. If you are still using Internet Explorer (and many, many folks are required to because of various corporate applications) you can also experience a Flash-paused existence by following the steps outlined in this article.
Most importantly, if your website was designed with Flash elements (as many were up to about 2 years ago), it’s time to refresh your online presence to marginalize or eliminate the dependency on Flash. Its days are well and truly numbered.
Lest you think Microsoft has finally plugged the many holes in the S.S. Internet Explorer, Patch Tuesday December includes four critical upates (Microsoft’s “critical” rating means they should be applied immediately) addressing newly discovered weaknesses, including an active zero-day exploit of the OLE (Object Linking & Embedding) platform. This particular chunk of code allows Microsoft apps like Office Word and Outlook to exchange documents between each other: when you insert an Excel spreadsheet into a Word document and it shows up as an editable spreadsheet, that’s OLE at work. In this case, the exploit allows hacked Office documents attached in Outlook emails to circumvent security, typically for the express purpose of installing other malware onto the victim’s machine.
What this means for you:
I can already see your eyes glazing over, and I don’t blame you. Microsoft’s bulletins are making me cross-eyed as well. Here’s what you need to do:
- Make sure your OS is patched. The updates should start arriving on computers as early as tonight. Unless your machine is being managed by an internal IT department and they’ve disabled this functionality, your Windows OS should be set to automatically download and patch all important updates from Microsoft. If you are not sure if your computer is set up this way, you can check by going to Control Panels -> Windows Update.
- If you must use Internet Explorer, avoid using it until you get fully updated with the latest round of patches (see #1). If it’s possible, consider using an alternative such as Firefox or Chrome. While neither is guaranteed free of security bugs, they are still faring better than IE in terms of exploits.
As always, avoid opening strange and/or unexpected attachments. If you regularly exchange documents with others via the internet, consider using a secure filesharing platform other than Dropbox or Drop or any of the numerous clones that offer free apps. Instead, look into options like Citrix Fileshare (we use it here at C2) for a much more secure and fully encrypted way to exchange documents.
I shouldn’t have worried that my special “Microsoft Zero-day Warning” graphic was going to gather dust. Would it surprise you to hear that a serious security flaw has been found in all versions of Internet Explorer up to the latest, version 11? This particular loophole allows attackers to use a specially crafted Flash file downloaded from compromised websites (like the ones linked to in spam, scams and phishing emails) to gain full access to your computer, and will likely lead to a badly infected computer and theft of your personal information. Though there are some band-aids offered by Microsoft, as of now there is no word whether this hole will be plugged by an emergency patch released soon, or on “Patch Tuesday” (2 weeks from now), or even later than that. Because of the severity of the security flaw, even the Department of Homeland Security is recommending everyone avoid using IE until this is fixed. Oh, and remember Windows XP? It won’t be getting patched, so yet another burning reason to switch browsers, and upgrade as soon as possible.
What this means for you:
This flaw is being exploited “in the wild” as you read this, though not widespread yet, and has thus far been used to target government employees and defense contractors. Given how large the target surface is, this exploit is highly likely to spread beyond these focused attacks. Unless your work requires it (or disallows the use of other browsers), you should stop using Internet Explorer for anything except known work-related websites. And if you have to use IE, you can disable the Flash add-on until the hole is plugged. This article from Microsoft explains how to do this, but make sure you use the little drop-down to the right of the headline to switch to the appropriate version of IE for specific steps. Chrome, Firefox or Safari are good alternatives to IE, and who knows, you may find that they can permanently replace IE for most of your web browsing tasks.
The first Tuesday of every month is commonly known as “Patch Tuesday” in the IT industry, and is called thus because Microsoft issues its monthly batch of patches and security fixes to its operating systems and applications, most notably Internet Explorer. February’s selection features a whopping 31 CVEs (common vulnerabilities and exposures) that have been fixed in 4 “critical” updates and 3 “important” updates. Chief among the fixes are patches to all versions of Internet Explorer 6 through 11 to fill holes in the web browser that Microsoft anticipates being exploited in the next 30 days. Adobe also issued a fix for its Shockwave Media Player (a legacy multimedia player that may be installed on older PCs), not to be confused with Adobe Flash, which was also patched last week to combat a security hole that was actively being exploited on the internet.
What this means for you:
Depending on whether your technology is managed by an IT department, 3rd-part provider like C2, or just by you, your Windows computers may update in the next day or two, or further out if your IT department tests MS updates before patching your company’s fleet. The ones that really need to pay attention are those that manage the software updates personally, as it’s easy to forget about or ignore the Windows Update process.
Not sure if your computer’s OS needs an update? Go to Control Panels -> Windows Update and read the information presented there. It will tell you if there are any updates waiting to be applied, when your computer was last updated, and you can even see a full history of what was updated previously. You can also double-check to see how your computer is set to check and apply updates. The best choice for most non-managed computers is the default setting for Windows Update, which is to download and apply all “important” and “critical” updates automatically on a regular schedule.
If you need to check whether Adobe Flash is properly patched, you can visit http://helpx.adobe.com/flash-player.html to check what version you have installed and whether it is working properly.
It’s nice that Microsoft can keep guys like me busy. Luckily, exploitation of their latest zero-day weakness seems to be limited (so far) to an advanced persistent threat (APT) attack targeting users of a specific national and international security policy website. This particular exploit is being delivered in a traditional “drive-by” attack when users of the English-version of Internet Explorer (specifically IE 7 and 8 on Windows XP, and IE 8 on Windows 7) visit this website. What distinguishes it from past threats is this malware’s ability to write malicious code directly to memory and then execute without writing to disk, a technique that makes detection and remediation much more difficult.
Microsoft intends to release a patch for this vulnerability as early as tomorrow (Nov 12). This is very fast for someone like Microsoft, and may be an indication of how serious this particular vulnerability might be.
What this means for you:
Though the exploit seems to be narrowly targeted at the moment, security researches say it wouldn’t be hard to manipulate the existing attack software to affect all versions of IE from 7 through 10, and any language in which IE is distributed. Assuming you have the leeway to do so, I still recommend using another browser like Chrome or Firefox, which still have a better track record when it comes to catching and patching weaknesses like the above. If you are required to use IE, make sure Windows Update is functional, and that you apply all critical and important updates as they are downloaded to your computer. Larger companies may control how frequently Windows Updates are applied in their enterprise, but don’t be afraid to ask your resident IT representative if they are taking steps to keep Internet Explorer safe for your use.
As predicted, the zero-day flaw in multiple versions of Microsoft’s web browser, Internet Explorer, is now being actively exploited by multiple APT (Advanced Persistent Threat) groups in attacks that are targeting large numbers of people. The most publicized and successful of these attacks have been focused on government websites. Their primary purpose: to install rootkits on government worker machines to facilitate access to confidential government documents. On top of the growing number of attacks leveraging this weakness, the Metasploit framework (an open source hacking tool used by security researchers and white-hat hackers) just released a module to the public that demonstrates how this security flaw can be used to hack IE, theoretically making it even easier for malicious agents to understand and develop their own exploits. Microsoft has yet to say when a patch will be released to fix this weakness, which affects just about every version of IE from 6 through 10.
What this means for you:
If you are using Internet Explorer, whether by corporate mandate or by choice, make sure you’ve applied Microsoft’s temporary fix, or ask your IT guy if they’ve distributed the fix throughout the company. If you work for the government, either as an employee or contractor, be extra wary of strange behavior on your computer, and ensure that your antimalware software is fully functional and up to date.
If you are using some other browser, you don’t have to worry about this particular exploit, but as always, remain ever vigilant and make sure your OS, software and antimalware are fully patched!
In case you were worried that Internet Explorer might be gaining ground as a secure web browser, security researchers have uncovered another zero-day vulnerability that is actively being exploited in version 8 and 9 of Internet Explorer. I’ll spare you the gory details but the gist of the hole is such that it can be exploited in a simple “drive-by” attack, and doesn’t even require interaction from the user. Sadly, this weakness seems to afflict all versions of Microsoft’s web browser, including the yet-to-be released version 11. Microsoft is aware of the issue, and is working to plug the hole, but could be weeks away from a formal fix.
What this means for you:
If you are using IE 8 (extremely likely if you are still using Windows XP), or IE 9 (also likely throughout much of the corporate world), there is a Microsoft Fixit that can be applied, and enterprise IT shops can address this centrally if they are running well-managed computer fleets. If you are leery of applying temporary patches and are not restricted to using Microsoft’s browser, you can give Chrome, Firefox or even Safari a try until Microsoft issues a formal patch for this exploit. At minimum, make sure your anti-malware is up to date and working, and watch carefully for suspicious behavior while surfing the internet, especially if you are visiting new/unfamiliar websites.
Hackers have compromised a Department of Energy website, leveraging a previously undiscovered security flaw in version 8 of Microsoft’s Internet Explorer. IE 8, which is now 2 versions back from Microsoft’s most recent release (v10), is used by almost a quarter of all Internet Explorer users, and is most commonly found on Windows XP computers. The “watering hole” style attack is thought to be the work of Chinese hackers based upon the malware used and the command and control protocols used. The hacked website is used by the DOE to disseminate information on radiation-based illnesses, leading analysts to believe that this was a targeted attack aimed at compromising the computers of government employees working with nuclear weapons and reactors, ostensibly for the purposes of gaining access to classified information and systems.
What this means for you:
This is the first instance of this particular exploit being discovered, but given the publicity and Microsoft’s well-known inertia in issuing security updates for it’s older products, there is a chance that if you are still using IE 8 you could be at risk. Microsoft recommends upgrading to a new version of Internet Explorer, but in the event that you are unable to upgrade due to your business requirements or application limitations, Microsoft has issued the following guidance for working around the security flaw until it can be patched:
- Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
- Add sites that you trust to the Internet Explorer Trusted sites zone to minimize prompt disruption
As I’m not a Microsoft employee, I can also recommend switching browsers to Chrome or Firefox. Both issue security updates much more rapidly, and though they are not free of security flaws and zero-day exploits, both browsers typically fair better than IE in terms of overall security strength.
Carnegie Mellon University’s CERT and the Department of Homeland Security have issued a broad warning about using the latest version of the Java 7 plug-in for web browsers, and some browser manufacturers have already taken steps to disable Java application execution until the vulnerability can be fixed. The security flaw is already being exploited in the wild, and can be used to run malicious code without the victim’s permission or even awareness. Oracle is investigating, but has not indicated when the hole would be patched, aside from promising a fix “shortly.”
What this means for you:
Unless you have a really good reason to keep running it, you should probably disable Java until Oracle can fix this problem. Unlike other vulnerabilities that affect specific browsers (Internet Explorer has been notorious for flaws in the past), this particular problem affects all browsers that have a Java 7 plugin, including the Apple OS. Oracle has had problems in the past with providing quick patches for the Java platform, so until they do, the safest approach is to disable the plugin in your browser.
- 1
- 2