Category Archives: Microsoft

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Internet Explorer flaw being actively exploited

1 Comment

Yesterday, Microsoft announced that they are looking into reports of a security vulnerability potentially affecting all versions of Internet Explorer. Apparently an exploit for this flaw exists and has been observed in the wild, targeting IE 8 and 9.

If you are using one of the affected browsers (likely all versions of Internet Explorer) and you visit a web site that has been compromised with malicious code that targets this vulnerability, an attacker might be able to execute arbitrary code on your computer remotely.

Microsoft issued security advisory 2887505 to warn and provide guidance to users. Workarounds include installing EMET and raising the security settings related to running ActiveX within the browser.

No patch for this vulnerability has yet been published by Microsoft, although there is a temporary ‘Fix-It’ solution available from Microsoft.

Update 2013Sep21: The SANS Internet Storm Center has been monitoring this issue. They have confirmed seeing related exploits in the wild. They also confirmed that Microsoft’s ‘Fix-It’ solution prevents these exploits, but only in 32-bit versions of Internet Explorer.

Update 2013Oct03: The developers of the controversial hacking toolkit Metasploit have released a module that exploits this IE vulnerability. This is likely to spur an increase in the number of attacks based on this vulnerability. Microsoft has yet to release a proper fix. If you use Internet Explorer for anything other than Windows Update, you should consider applying the temporary Fix-It solution or installing EMET (see above).

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for September 2013

Leave a comment

Another month, another pile of patches from Microsoft. This month there are fourteen bulletins, addressing security vulnerabilities in Windows, Internet Explorer, Office, and the .NET framework. Four of the bulletins are rated Critical.

As usual, the updates will become available after 10am PST from Windows Update.

The SANS Internet Storm Center has a detailed look at the vulnerabilities addressed by this month’s patches.

The Microsoft Security Response Center has a somewhat friendlier summary of this month’s updates.

Microsoft, Patches and updates, Security, Windows XP

When Windows XP support ends…

Leave a comment

After April 2014, it will no longer be possible to obtain security updates for Windows XP – unless you’re paying Microsoft a ton of money. This has some interesting ramifications.

Clearly, there will be renewed interest in the aging O/S as an attack target. New vulnerabilities will continue to appear, but will remain unpatched on most Windows XP computers. Tools that exploit these vulnerabilities will increase in value, resulting in a boom for anyone developing them.

Depending on how many XP systems remain after April 2014, and the number and seriousness of vulnerabilities discovered after that date, there may be some backlash against Microsoft. There may be calls to extend support for XP even further. It’s possible that as many as one third of all computers and devices will still be running XP after support expires.

If Microsoft declines to extent support, you can bet that any new patches they develop for XP will find their way into the hands of regular users through unauthorized torrents and underground web sites.

On the other hand, while keeping Windows XP patched is obviously an important part of an overall security plan, there are other ways to protect yourself. Most users these days connect to the Internet through a router/firewall, which – if configured correctly – makes it almost impossible for an attacker outside the router to identify or even detect a computer inside the router. So, while I’m not recommending that you ignore this problem (you should really upgrade to Windows 7), there may not be a reason to panic if you’re still running Windows XP next year.

Update 2013Aug21: Another ComputerWorld post on this subject, and a post from ZDNet.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Today is Patch Tueday for August 2013

Leave a comment

It’s that time again. This month Microsoft has issued eight bulletins, with three of them flagged as Critical. The associated patches affect Windows and Internet Explorer. The August 2013 security bulletin has all the technical details. A post on the Microsoft Security Response Center has a somewhat friendlier summary. For a slightly different view of this month’s updates, check out this post on the SANS Internet Storm Center.

Microsoft, Patches and updates, Windows 8.x

Windows 8.1 update coming in October

Leave a comment

Windows 8 Service Pack 1 8.1 will be made available starting some time in October 2013, according to various sources.

Included in the free update will be several tutorials on the new user interface. The exclusion of such tutorials in Windows 8 was a strange decision by Microsoft, since they were in every previous version of Windows.

The update will also include a variety of changes related to user interaction, affecting the use of touch, mouse and keyboard input. Context menus will be improved for better usability.

Related:

Update: Microsoft has set a firm date for availability of Windows 8.1: October 18, 2013.

Microsoft, Privacy

Microsoft says “your privacy is our priority” (unless the NSA is involved)

Leave a comment

Over at TechDirt, a post by Tim Cushing details a recent leak published by The Guardian, showing that Microsoft values your privacy, unless the NSA comes calling. When the NSA asks for your ‘private’ information, Microsoft is happy to hand it over. This means that nothing you say on Skype, Outlook.com, Skydrive or Hotmail is safe from prying eyes.

Microsoft is quick to point out that nothing they’ve done is illegal, but that’s really the problem, isn’t it?

Microsoft, Patches and updates, Windows 8.x

Windows 8.1 available to manufacturers in late August

Leave a comment

On July 8, at the Worldwide Partner Conference in Houston, Microsoft executives announced that Windows 8.1 will be released to manufacturing in late August. Still no word on when the update will become available to consumers in retail stores or through other channels.

Another question that remains is whether Windows 8.1 will be available through Windows Update or Windows automatic updates. If so, will it be a forced update, or will it be optional? In the past, Windows Service Packs (which are the closest analog to the 8.1 update) were available via Windows/auto update and – at least initially – not forced.