Category Archives: Internet Explorer

Internet Explorer, Microsoft, Patches and updates, Security, Windows, Windows XP

Microsoft issues special update for Internet Explorer

Leave a comment

We recently reported on a serious vulnerability affecting all versions of Internet Explorer that is being exploited on the web.

Well, it appears that Microsoft sees this vulnerability as very serious, because they are planning to release an update – later today – that addresses the problem. This is an ‘out-of-band’ update, meaning that it’s considered too important to wait for the next Patch Tuesday.

Just in case you were wondering, this vulnerability affects all versions of Internet Explorer on all versions of Windows, including Windows XP. But the patch will not be made available for Windows XP computers.

Update 2014May02: Surprisingly, Microsoft has decided to make this update available for Windows XP. I confirmed this by running Microsoft Update on my WinXP test system: security update 2964358 was offered, and I installed it without any difficulties. Reading through the associated bulletin (MS14-021) there is no explanation for this decision, but there is confirmation, in the section titled “Security Update Deployment
– Windows XP (all editions)”, and in a related post on the MSRC blog. The Verge has additional details, as does Ars Technica. The Ars Technica post includes the official explanation from Microsoft:

Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded) today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do.

Update 2014May02: Another Ars Technica post makes the argument that releasing a patch for Windows XP was a mistake. The moment of truth will be Patch Tuesday for May 2014: will Microsoft stick to its guns and leave Windows XP out of the next set of patches?

Internet Explorer, Microsoft, Security, Windows

New Internet Explorer vulnerability

1 Comment

On April 26, Microsoft released Security Advisory 2963983, which describes a newly-discovered vulnerability affecting all versions of Internet Explorer.

According to the related MSRC blog post, attacks based on this vulnerability are being seen in the wild, but so far those attacks are limited.

This IE vulnerability is apparently based on a vulnerability in Flash.

Microsoft is advising the usual caution, especially when clicking links in email and visiting unfamiliar web sites.

Presumably Microsoft will produce a patch for this vulnerability, and an interim ‘Fix-It’ workaround may be made available soon, but in the meantime, you should either stop using Internet Explorer completely, or at least install and configure EMET.

Windows XP users should not – under any circumstance – still be using Internet Explorer as their default web browser or for browsing the web. This vulnerability is only the first in what is sure to be a long series that make using Internet Explorer on Windows XP extremely risky.

Update 2014Apr28: Ars Technica, The Verge, and the SANS InfoSec handlers diary all have additional information.

Adobe, Chrome, Flash, Internet Explorer, Patches and updates, Security

Flash Player 13 released

Leave a comment

Yesterday, Adobe announced a new version of Flash, 13.0.0.182. The new version includes fixes for several security vulnerabilities (including one of the two found at Pwn2Own), as well as numerous other bug fixes and enhancements. There are also some new features, but these are mostly of interest to developers. The official release notes page has all the details.

As usual, the integrated versions of Flash in Internet Explorer 10 and 11 will be updated via Windows Update, and Chrome’s integrated Flash will be updated automatically by the browser itself.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for April 2014

Leave a comment

It’s a very special Patch Tuesday: the last one for Windows XP and Office 2003. Security vulnerabilities in those products that appear after today will not be publicly patched by Microsoft. Also losing support today is the much-despised Internet Explorer version 6.

There are four bulletins and corresponding updates this month. Two are flagged as Critical. The updates address eleven security vulnerabilities (CVEs) in Office (including Office 2003), Windows (including Windows XP), and Internet Explorer (including IE 6).

As expected, one of the updates addresses the recently-discovered vulnerability in Word’s handling of RTF documents.

The MSRC blog has a good overview of this month’s updates.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Advance notification for April 2014 Patch Tuesday

Leave a comment

Next Tuesday is much more significant than the usual Patch Tuesday, because this crop of updates will be the last one for both Windows XP and Office 2003.

After April 8, most of the IT-enlightened world will be holding its collective breath, waiting for a likely deluge of hacks, attacks and malware based on vulnerabilities in Windows XP and Office 2003.

According to the official advance warning bulletin from Microsoft, this month’s updates will include patches for Office, Windows and Internet Explorer. Two of the patches are flagged as Critical.

One of the patches addresses the recently-discovered vulnerability in Word’s handling of RTF documents.

As usual, there’s a somewhat less technical overview of the upcoming updates on the MSRC blog.

The SANS InfoSec Handlers Diary blog has its own take on the upcoming updates.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft updates for March 2014

Leave a comment

Yesterday was Patch Tuesday, and Microsoft released five updates for Windows, Internet Explorer, and Silverlight. Two of the updates are flagged as Critical. The official summary bulletin has all the technical details, and a post on the MSRC blog has a less technical breakdown of the updates.

As expected, one of this month’s updates fixes the recently-reported zero-day vulnerability in Internet Explorer.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Advance notification of March updates from Microsoft

Leave a comment

Patch Tuesday for March 2014 happens on March 11. Microsoft currently plans to publish five new bulletins and associated patches starting at 10am PST on that date. The patches will address vulnerabilities in Windows, Internet Explorer, and Silverlight. Two of the patches are flagged as Critical.

One of the patches will fix the Internet Explorer vulnerability recently reported here.

Internet Explorer, Malware, Microsoft, Security

Internet Explorer vulnerable to new attack

2 Comments

Update 2014Feb19: Microsoft has released a ‘Fix-It’ patch that apparently removes this vulnerability in Internet Explorer 9 and 10. They are expected to release a regular update at some point, but for now, if you have to use IE9/10, you should apply this Fix-It.

Ars Technica reports on a new vulnerability affecting Internet Explorer 10 and 9. Visitors to the American Veterans of Foreign Wars (VFW) web site who are using Internet Explorer will become infected with malware.

The VFW site was recently compromised, and altered to include code that loads the malware from another site. Presumably the VFW site will be cleaned up very soon, but the vulnerability in IE remains, so we can expect to see this malware being served up by other compromised web sites very soon.

Microsoft said that they are aware of the problem but there’s no word yet on a possible fix.

For now, since there’s no way to know which web sites to avoid, we recommend not using Internet Explorer at all for general web surfing.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday, February 2014

Leave a comment

It’s the second Tuesday in February 2014, so it’s time to patch your Windows computers. Originally there were only going to be five bulletins this month, but two more were added late. The updates fix security vulnerabilities in Internet Explorer, Windows and .NET. Four of the updates are flagged as Critical.

The summary bulletin has all the technical details, and Dustin Childs has posted a friendlier summary over at the MSRC blog.

As usual, a SANS ISC Diary post provides a security-focused interpretation of the month’s updates, with its own recommendations, as well as useful references (CVE identifiers) to the specific vulnerabilities addressed.

Adobe, Chrome, Flash, Internet Explorer, Patches and updates, Security, Windows

Flash version 12 released

Leave a comment

Yesterday, Adobe announced new 12-series versions of the Flash player for various environments and browsers:

  • Internet Explorer 10 on Windows 8 (via Windows Update): 12.0.0.38
  • Internet Explorer 11 on Windows 8.1: 12.0.0.38
  • Other versions of Internet Explorer: 12.0.0.38
  • Google Chrome (self-updating): 12.0.0.41
  • All other browsers on Windows: 12.0.0.43

You can get the new version from the main Flash download site.

Flash 12 includes some new features and enhancements, as well as fixes for several security vulnerabilities.