Archive for September, 2012

Microsoft patches IE zero-day and Flash flaws in IE 10

September 21, 2012

Microsoft has delivered on its promise and has issued a security update for Internet Explorer to address the zero-day memory-corruption vulnerability in versions 9 and earlier that is currently being exploited in attacks.

The update also takes care of four privately disclosed vulnerabilities that are currently not being exploited.

In addition to this, Microsoft has also released an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012, in order to close two vulnerabilities that could allow remote code execution.

One of them – CVE-2012-1535 – is currently exploited by the Elderwood gang – a hacker group whose activities have been recently exposed by Symantec researchers.

“We recognize there has been some discussion about our update process as it relates to Adobe Flash Player. Microsoft is committed to taking the appropriate actions to help protect our customers and we are working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process,” commented Yunsun Wee, director of Microsoft Trustworthy Computing.

He also announced that with respect to Adobe Flash Player in Internet Explorer 10, users can expect regular updates on a quarterly basis, and additional unscheduled updates if the threat landscape requires it.

“Internet Explorer zero-days have been very rare in recent months. The last IE zero-day was in December of 2010 and it was patched in the February, 2011 patch Tuesday. The good news is that zero days are becoming far less frequent across all Microsoft products,” Andrew Storms, director of security operations for nCircle, commented for Help Net Security.

“Microsoft’s ability to go from advisory to patch release so quickly demonstrates their commitment to providing customers with a secure computing environment. Earlier this year, Microsoft stated that they had enough resources to deliver an IE patch every month if necessary. Those additional resources certainly helped them deliver this patch in record time.”

Users who have not enabled automatic updating are advised to manually check for updates and download and install both of today’s updates as soon as possible.

Advertisements

Exploit Released for Zero-Day in Internet Explorer

September 18, 2012

A working exploit that takes advantage of a previously unknown critical security hole in Internet Explorer has been published online. Experts say the vulnerability is being actively exploited in the wild, and that it appears to be connected to the same group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits late last month.

Researchers at security vulnerability testing firm Rapid7 have added a new module to the company’s free Metasploit framework that allows users to successfully attack the vulnerability on Internet Explorer versions 7, 8 and 9 on Windows XPVista and 7.

“Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user,” Rapid7 researcher “sinn3r” wrote on the firm’s blog. “Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk.”

News of the IE exploit surfaced at the blog of security researcher and blogger Eric Romang, who said he discovered the attack code while examining a Web server recently used by Chinese hackers to launch targeted attacks via zero-day Java vulnerabilities that were patched by Oracle last month. Romang and other experts have connected the sites serving those Java exploits to the Nitro attacks of 2011, espionage attacks directed against at least 48 chemical and defense companies.

I suspect Microsoft is preparing an advisory about this threat, and will update this post when I receive a response. Until an official fix is available, IE users would be wise to surf with another browser.

Millions of websites disappear from the internet

September 10, 2012

Blame GoDaddyGoDaddy.com, the largest domain registrar in the world, has suffered a major failure of some kind in its DNS services. GoDaddy.com manages approximately 53 million domain names, though not all rely on GoDaddy’s DNS services. Those that do use its DNS service and hosting service have been knocked completely offline (websites which only use GoDaddy for DNS but not hosting may still accessible via IP address.)

So, if your favorite website has been down today, this might be why; also any e-mail sent to an affected domainmay or may not be delivered. And to add a wrinkle, Anonymous has claimed responsibility, though this has not been confirmed.

Further reading:
GoDaddy’s Official Twitter page
Internet Storm Center daily diary

http://wtvr.com/2012/09/10/hacker-cripples-large-part-of-internet-with-godaddy-attack/
http://www.wired.com/wiredenterprise/2012/09/godaddy-goes-down/
http://blogs.wsj.com/digits/2012/09/10/godaddy-has-glitches-anonymous-claims-responsibility/ […]