Another new exploit has been discovered by security researchers, this one affecting Internet Explorer. The exploit uses two as-yet unpatched vulnerabilities in IE 7 through 10.
Microsoft is obviously concentrating its development efforts on Windows 8, but they haven’t totally forgotten that much of the world still runs Windows 7. Windows XP users are out of luck, but Windows 7 users can now install Internet Explorer 11, which was previously only available for Windows 8.
Tuesday, November 12 will see a modest batch of updates from Microsoft. There will be eight bulletins in total, with five Critical updates addressing vulnerabilities in Windows and Internet Explorer, and three Important updates addressing vulnerabilities in Windows and Office.
Microsoft has issued a security advisory to users of Office on Windows Vista. A newly-discovered vulnerability in Microsoft Office versions 2003 through 2010, when running on Windows Vista, is already being exploited by nefarious hackers.
If you are using Office 2003 to 2010 on Windows Vista, you should take steps to protect yourself until Microsoft releases a patch for this vulnerability:
This vulnerability also affects Office 2003 through 2010 running on Windows Server 2008, but you shouldn’t be running desktop applications on server software anyway, right?
I don’t have a smartphone. I’ve fiddled with them, and I use one for app development. But the mobile device I actually use for day-to-day phone communication is an ancient Nokia 2610b.Hey, don’t laugh – it works.
I’ve never had any issues with call quality, or any other problems with this phone. It lets me download media from arbitrary web locations and use any sound file as a ring or other tone. It’s sturdy; I literally use it as a beer bottle opener. Of course it doesn’t have a full keyboard, and the buttons are tiny, but I’m no rapid-fire texter anyway. The display is very basic, but it works for me.
I’ve been tempted on many occasions to buy a smartphone. The coolness factor alone has almost triumphed, but so far I’ve resisted its lure. Sure, smartphones can do lots of cool stuff, and I have no doubt that if I owned one, I’d spend a lot of time playing with it. But in the end, the only features I would really use are the phone, contacts, text messages (including alerts from Google Calendar), and occasionally the timer and alarm.
Until today, I thought I might end up using the 2610b until it died (which is unlikely), the battery stopped holding a charge (original battery is still going strong), or somehow it was no longer supported by my carrier (also unlikely).
What changed my mind? Microsoft released a mobile version of Remote Desktop. That’s the software I use to remotely control the Windows PCs I administer. I use it to administer the media computer downstairs, and the server next to me. I use it to manage client computers in this and other cities. And I use it to access my main PC when I’m elsewhere. It’s indispensable. And now it runs on Android and iPhone devices.
This changes everything: now I have a valid reason to buy a smartphone. But I’ll continue to resist as long as I can.
Windows 8 Service Pack 1 Windows 8.1 is now available. If you’re not already running Windows 8, you can purchase 8.1 from the Windows Store. If you are using Windows 8, you should start seeing prompts in the Windows Store to upgrade to 8.1 (a free download).
In the past, when a Windows Service Pack became available, savvy users tended to stay away until the inevitable problems were resolved. I don’t see any particular reason to charge blindly into Windows 8.1 either. My advice is to wait for at least two weeks and monitor this and other tech blogs for reports from early adopters.
Ars Technica and The Verge have additional information:
Patches from Microsoft and Adobe were announced today, along with a new version of Flash.
Eight bulletins from Microsoft fix security vulnerabilities in Windows, Internet Explorer, .NET, Office, Windows Server and Silverlight.
The Microsoft Security Research Center as usual provides a more friendly overview of this month’s patches, while the SANS Internet Storm Center provides a wealth of technical details.
Next Tuesday, October 8, will see patches from Microsoft (for Internet Explorer, Windows, .NET, Office and Silverlight) and Adobe (for Reader/Acrobat).
Given that the vast majority of Windows systems are configured to download and install updates automatically, it’s critical for Microsoft to ensure the quality of those updates. One seriously bad update could cripple millions of Windows computers.
If you are using one of the affected browsers (likely all versions of Internet Explorer) and you visit a web site that has been compromised with malicious code that targets this vulnerability, an attacker might be able to execute arbitrary code on your computer remotely.
Microsoft issued security advisory 2887505 to warn and provide guidance to users. Workarounds include installing EMET and raising the security settings related to running ActiveX within the browser.
No patch for this vulnerability has yet been published by Microsoft, although there is a temporary ‘Fix-It’ solution available from Microsoft.
Update 2013Sep21: The SANS Internet Storm Center has been monitoring this issue. They have confirmed seeing related exploits in the wild. They also confirmed that Microsoft’s ‘Fix-It’ solution prevents these exploits, but only in 32-bit versions of Internet Explorer.
Update 2013Oct03: The developers of the controversial hacking toolkit Metasploit have released a module that exploits this IE vulnerability. This is likely to spur an increase in the number of attacks based on this vulnerability. Microsoft has yet to release a proper fix. If you use Internet Explorer for anything other than Windows Update, you should consider applying the temporary Fix-It solution or installing EMET (see above).
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
Close
Ad-blocker not detected
Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.
boot13