Update: Thursday, May 1st, Microsoft released an ‘out-of-band’ security update to address the issue affecting Internet Explorer (IE) that was first discussed in Microsoft Security Advisory 2963983. The new security update MS14-021 – Security Update for Internet Explorer (2965111) ‘fixes’ the problem and for most of us running Windows 7 and above, this fix will be applied automatically. For XP users, you will need to do a little more work by downloading and applying the fix for your particular version of XP and IE. Go to the MS14-021 Security Bulletin web page for further instructions.
By the way, XP users, you need to understand that you will be under constant attack moving forward. Using this vulnerability as an example, on May 1st there was a new version of the IE attack that specifically targeted out-of-life Windows XP machines running IE8. The hacker community is VERY clever and when they see such a large population of users that are no longer being adequately supported, they’ll go to town. Please consider upgrading your computing environment – some advice provided here. I guarantee you’ll sleep better at night if you do.
**
Hackers have uncovered the first bug that could put Windows XP users at serious risk, after Microsoft ceased support for the aging operating system less than three weeks ago.
On Saturday, Microsoft announced that Internet Explorer versions 6 through 11 were at risk for so-called drive-by attacks from malicious websites. Windows XP is capable of running Internet Explorer 6, 7, and 8.
This new remote code execution vulnerability, dubbed CVE-2014-1776, has the potential to give hackers the same user rights as the current user. That means a successful attacker who infects a PC running as administrator would have a wide variety of attack open to them such as installing more malware on the system, creating new user accounts, and changing or deleting data stored on the target PC. Most Windows users run their PCs under an administrator account.
These attacks aren’t theoretical, either—security firm FireEye discovered these attacks being actively used in the wild. For these attacks to work, however, a user would have to visit a malicious website attempting to install the code. Microsoft says attacks could also come from “websites that accept or host user-provided content or advertisements” where an attacker could insert malicious code.
Microsoft has yet to decide whether it will issue an emergency patch in the coming days or wait for patch Tuesday on May 13 to repair supported versions of IE.
XP in the cold
Whenever Microsoft issues the patch, a significant portion of Windows PC users won’t be receiving the security update. Microsoft officially ended support for Microsoft XP on April 8, and the aging OS will no longer receive security updates as a result. So unless Microsoft does an about face, this appears to be the first post-support vulnerability where XP users are left to fend for themselves. Many more are sure to follow.
At last count, Windows XP accounted for nearly 28 percent of all online PCs worldwide. That’s more than Windows 8, 8.1, Vista, OS X 10.9, and Linux users combined, according to the latest numbers from Net MarketShare.
Luckily, Windows XP users can easily mitigate this vulnerability by simply using any Web browser but Internet Explorer. For longtime IE users on XP, turning to Google Chrome or Mozilla Firefox would be your best bet, both immediately and going forward.
Google has promised to support the XP version of Google Chrome until April 2015, while Mozilla has yet to announce a Firefox end-of-support date for XP. Should a vulnerability hit either of those browsers on XP it will be patched, unlike IE.
For those who absolutely must use IE, Microsoft advises downloading and installing the Enhanced Mitigation Experience Toolkit (EMET) 4.1. This utility helps to protect against malware and is available for Windows XP PCs with service pack 3 installed.
You can also run IE in a more secure mode by going to Internet Option s> Security and setting the slider to High.
Microsoft’s Saturday alert may be the first example of a serious exploit already in the wild that will put Windows XP users permanently at risk. It won’t, however, be the last, security experts say. In March, security firm avast! said that Windows XP was already under attack six times more often than Windows 7—and that was before the OS went end-of-life.
http://abcnews.go.com/Technology/wireStory/microsoft-warns-internet-explorer-security-gap-23501356
Microsoft says a security gap in Internet Explorer could allow an attacker to take complete control of a computer if the user clicks on a malicious link.
The vulnerability affects versions 6 through 11 of the Web browser.
Microsoft Corp. said Saturday that it was aware of “limited, targeted attacks” that tried to exploit the security gap. The company is working on a fix which it plans to provide in a software update on May 13.
In the meantime, Microsoft encourages customers to enable a firewall, apply all software updates and install anti-malware software.
A division of the Homeland Security Department recommends that users download a security toolkit from Microsoft or use another browser until an update becomes available.
Onlinespies are using a previously unknown flaw in Microsoft’s Internet Explorer browser for targeted attacks, researchers at Microsoft and security firm FireEye announced Saturday (April 26). A patch to fix the flaw is not yet available.
The flaw lets attackers control processes on the targeted computer and, in certain cases, install more malware without the user’s knowledge. InternetExplorer versions 6 through 11 are affected, but the attackers seem to be focusing on IE 9 through 11, which together account for a quarter of global browser market share.
All Windows users should avoid using Internet Explorer until a patch is made available. Windows XP users will not be receiving a patch at all. Such attacks on previously unknown security flaws are called zero-day exploits, because researchers have zero days to prepare fixes before the attacks begin.
Milpitas, Calif.-based FireEye first discovered the attacks, which it describes as an “ongoing campaign” dubbed “Operation Clandestine Fox” in a blog post, adding that “for many reasons, we will not provide campaign details.”
Significantly, FireEye’s researchers said the attackers were an “APT group” that previously has had “access to a select number of browser-based 0-day exploits.” APT, or advanced persistent threat, is often taken as a euphemism for Chinese state-sponsored digital spies.
Over the past two years, several espionage campaigns using different Internet Explorer zero-day exploits have targeted information useful to Chinese policymakers and companies. Many involved “watering hole” attacks, in which attackers embed browser-infecting malware in a website likely to be visited by individuals whose computersmay contained desirable information — much as predators expect prey to gather at a watering hole.
For those reasons, general computerusers may not now have much to fear from “Operation Clandestine Fox.” But ordinary cybercriminals, who chase money instead of information, are likely to take advantage of this Internet Explorer flaw in the future.
The actors behind “Operation Clandestine Fox” are leveraging a known Adobe Flash Player exploit to access the Internet Explorer flaw, corrupting or creating Web pages that have malicious Flash (.SWF) files on them. (This technique does not involve a flaw in Adobe Flash Player itself.)
If you’re using a vulnerable version of Internet Explorer to browse the Web, and you land on one of these rigged pages, it may trigger a drive-by download that infects a browser without the user’s knowledge. The Flash file will alter the affected computer’s memory, creating the opportunity to exploit the Internet Explorer flaw.
In its own blog post, Microsoft says it will soon issue a patch for all supported versions of Windows and Internet Explorer. Windows XP won’t be getting it, since Microsoft stopped supporting the 13-year-old operating systemearlier this month.
Nevertheless, there are still a few things that users of all versions of Windows can do. First, stop using Internet Explorer, at least until this flaw is patched. (XP users should not be using Internet Explorer at all.) We recommend switching to Google Chrome, Mozilla Firefox, Opera or WhiteHat Aviator, all of which will support XP for at least another year.
Disabling all Adobe Flash browser plugins in IE will also stop the attack, since Flash is a necessary stepping-stone for the attack to work.
You can also download and install Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) version 4.1, which is available free on Microsoft’s website and can improve Windows security.
Disabling a feature in Internet Explorer called “Active Scripting” will also prevent Flash from running in the browser.
Microsoft says that disabling an Internet Explorer extension called “VGX.dll” will also stop the attack. VGX.dll supports vector graphics rendering in the browser.
Because the zero-day exploit gains the Windows user’s privileges, surfing the Web under a limited-user account will mitigate, if not completely stop, the attack and prevent the malware from affecting an entire PC.
Clicking on one malicious link in Internet Explorer may be all it takes for hackers to hijack your computer, according to warnings issued today by Microsoft and the Department of Homeland Security.
Federal officials advised that people should avoid using Internet Explorer browser versions six to 11 until Microsoft has successfully patched the glitch.
The United States Computer Emergency Readiness team said the vulnerability “could lead to the compromise of an affected system.”
How to Protect Yourself From Internet Explorer Flaw
Windows XP Support Expires: What You Need to Do
The latest flaw works by tricking users into visiting a malicious website that then quietly installs malware, turning control of the system over to hackers, according to the Microsoft security advisory
Internet Explorer is the top browser, accounting for nearly 58 percent of users last month, according to NetMarketShare.
Mozilla’s FireFox and Google Chrome round out the other most popular browsers.
People using the 12-year-old Windows XP operating system are especially vulnerable since Microsoft announced earlier this month it would no long provide technical assistance and automatic updates to protect users’ PCs.
“If you continue to use Windows XP after support ends, your computer will still work but it might become more vulnerable to security risks and viruses,” the company said on its website and encouraged users to upgrade their operating systems.
http://abcnews.go.com/Technology/protect-internet-explorer-security-flaw/story?id=23518910
Getting around Internet Explorer, a popular workplace browser, may be unavoidable even as Microsoft works to patch a bug that could allow hackers to take complete control of user’s computers.
“It’s definitely something users need to be concerned about,” Bill Carey, vice president of marketing at Siber Systems, a Fairfax, Va., based software company, told ABCNews.com.
All it takes is clicking on one malicious link in Internet Explorer to allow hackers the opportunity to completely take over your computer, according to warnings issued earlier this week by Microsoft and the Department of Homeland Security.
Read More: Internet Explorer Glitch Leaves Computers Vulnerable to Hackers
If you can’t avoid Internet Explorer, Carey offered a few tips for making sure you stay safe online.
Update Your Software
Make sure you’re current on your software updates so any security loopholes are closed. People using the 12-year-old Windows XP operating system are especially vulnerable since Microsoft announced earlier this month it would no long provide technical assistance and automatic updates to protect users’ PCs. Consider upgrading your operating system.
Close Your Browser
When you’re done with using a website, log off and close your browser. This will help prevent others from gaining access to your account.
Control Your E-Mail
Have a disposable e-mail address. Only give your actual e-mail address out to who people who need it. Carey said this will help you avoid mass spam and keep your inbox clean.
Have A Strong Password
Carey advises using a “keystroke” method for making passwords and creating a “keyboard mapping system.” One key to the left and one up would make the password “tinmen” change to “47gh2g.”
Disable E-Mail Photos
Disable pictures on your email and read it in plain text. The sender will not be able to identify if you have opened the e-mail, Carey said.
