Category Archives: Windows

Internet Explorer, Microsoft, Security, Windows

New Internet Explorer vulnerability being actively exploited

1 Comment

Another new exploit has been discovered by security researchers, this one affecting Internet Explorer. The exploit uses two as-yet unpatched vulnerabilities in IE 7 through 10.

This is not to be confused with the recently-announced exploit affecting Microsoft Office.

Recommendations:

  • Avoid using Internet Explorer. If that’s not practicable, exercise extreme caution when browsing the web.
  • Install and use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)

Ars Technica has more details.

Update 2013Nov12: a patch for this vulnerability will be included with this month’s Patch Tuesday updates, later today.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Advance notification of November 2013 Patch Tuesday

Leave a comment

Tuesday, November 12 will see a modest batch of updates from Microsoft. There will be eight bulletins in total, with five Critical updates addressing vulnerabilities in Windows and Internet Explorer, and three Important updates addressing vulnerabilities in Windows and Office.

The recently-discovered vulnerability in Office running on Vista will not get a patch on November 12, but Microsoft is working on it and will release it as soon as it’s ready.

Microsoft, Security, Vista

Vulnerability in MS Office on Vista being actively exploited

2 Comments

Microsoft has issued a security advisory to users of Office on Windows Vista. A newly-discovered vulnerability in Microsoft Office versions 2003 through 2010, when running on Windows Vista, is already being exploited by nefarious hackers.

If you are using Office 2003 to 2010 on Windows Vista, you should take steps to protect yourself until Microsoft releases a patch for this vulnerability:

This vulnerability also affects Office 2003 through 2010 running on Windows Server 2008, but you shouldn’t be running desktop applications on server software anyway, right?

The MSRC blog has more information, as does an Ars Technica post on the subject.

Update 2013Nov09: apparently attacks based on this vulnerability are more widespread than was originally estimated.

Boot13, Security, Tools, Windows

Secunia’s Online Security Inspector is no more

Leave a comment

The formerly excellent free OSI service provided by Secunia has been discontinued. I used the OSI service because it was an easy way to check for vulnerable software on any Windows computer.

Recently, OSI stopped working, and Secunia chose to retire the service rather than fix it. There’s probably more to their decision, but they’re not saying, at least not publicly. The OSI web site says only “We have discontinued the Secunia Online Software Inspector (OSI).” and recommends alternatives.

The primary alternative to OSI offered by Secunia is the “Personal Software Inspector”. As with OSI, PSI was developed in Java and requires Java to run. Unlike OSI, however, PSI runs as an application outside the context of your web browser. This has at least one advantage, in that there’s now one less reason to leave Java enabled in your web browser.

Unlike OSI, which was a strictly on-demand service, PSI by default sets itself up to start with Windows, checking for vulnerable software and updating it automatically. I’m not a fan of automatic updates: I want to be in control of what gets updated and when. Fortunately, PSI can be configured to only notify you of software that can be updated. You can also configure it NOT to start with Windows, but there are some additional steps you’ll need to take if you want to use PSI strictly on-demand.

PSI installs two services: Secunia PSI Agent and Secunia Update Agent. These services are configured to start automatically with Windows. If you want to run PSI on-demand only, you’ll need to change the Startup Type for both of these services from Automatic to Manual. When you run PSI, it will start both of these services. When you close PSI, it will stop the Secunia PSI Agent service, but leave the Secunia Update Agent running (it appears as sua.exe in the Windows process list). You’ll have to stop it manually.

Once PSI is running, it presents a list of installed software, along with status and options for each. We recommend changing the display to ‘Detailed View’ – click ‘Settings’ at the bottom of the PSI screen and enable that setting. While you’re there, you can also disable ‘Start on boot’ and select ‘Update handling: Notify’. For each application listed, the Status column shows the most obvious options, including ‘Download’ and ‘Update’. Right-clicking the entry for an application will show a context menu that allows you to see additional details about available updates, or choose to ignore updates for that application.

Warning: PSI seems to start scanning your computer before it presents any part of its user interface. That means you have to act quickly the first time you run it, if you want to configure it for on-demand scans only. Hopefully now that OSI users are migrating to PSI, Secunia will listen to their requests and make PSI more friendly to people who prefer the on-demand approach.

Additional information on setting up and using Secunia’s PSI can be found on this site’s ‘Scan for vulnerable software‘ page.

Microsoft, Mobile, Tools, Windows

Smartphones just became useful

Leave a comment

I don’t have a smartphone. I’ve fiddled with them, and I use one for app development. But the mobile device I actually use for day-to-day phone communication is an ancient Nokia 2610b.

Nokia 2610b
Hey, don’t laugh – it works.

I’ve never had any issues with call quality, or any other problems with this phone. It lets me download media from arbitrary web locations and use any sound file as a ring or other tone. It’s sturdy; I literally use it as a beer bottle opener. Of course it doesn’t have a full keyboard, and the buttons are tiny, but I’m no rapid-fire texter anyway. The display is very basic, but it works for me.

I’ve been tempted on many occasions to buy a smartphone. The coolness factor alone has almost triumphed, but so far I’ve resisted its lure. Sure, smartphones can do lots of cool stuff, and I have no doubt that if I owned one, I’d spend a lot of time playing with it. But in the end, the only features I would really use are the phone, contacts, text messages (including alerts from Google Calendar), and occasionally the timer and alarm.

Until today, I thought I might end up using the 2610b until it died (which is unlikely), the battery stopped holding a charge (original battery is still going strong), or somehow it was no longer supported by my carrier (also unlikely).

What changed my mind? Microsoft released a mobile version of Remote Desktop. That’s the software I use to remotely control the Windows PCs I administer. I use it to administer the media computer downstairs, and the server next to me. I use it to manage client computers in this and other cities. And I use it to access my main PC when I’m elsewhere. It’s indispensable. And now it runs on Android and iPhone devices.

This changes everything: now I have a valid reason to buy a smartphone. But I’ll continue to resist as long as I can.

Microsoft, Patches and updates, Windows 8.x

Windows 8.1 released today

Leave a comment

Windows 8 Service Pack 1 Windows 8.1 is now available. If you’re not already running Windows 8, you can purchase 8.1 from the Windows Store. If you are using Windows 8, you should start seeing prompts in the Windows Store to upgrade to 8.1 (a free download).

In the past, when a Windows Service Pack became available, savvy users tended to stay away until the inevitable problems were resolved. I don’t see any particular reason to charge blindly into Windows 8.1 either. My advice is to wait for at least two weeks and monitor this and other tech blogs for reports from early adopters.

Ars Technica and The Verge have additional information:

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for October 2013

Leave a comment

Patches from Microsoft and Adobe were announced today, along with a new version of Flash.

Eight bulletins from Microsoft fix security vulnerabilities in Windows, Internet Explorer, .NET, Office, Windows Server and Silverlight.

The Microsoft Security Research Center as usual provides a more friendly overview of this month’s patches, while the SANS Internet Storm Center provides a wealth of technical details.

Two bulletins from Adobe fix security vulnerabilities in Adobe Reader/Acrobat and Robohelp.

Flash 11.9.900.117 includes a long list of bug fixes. Chrome will be updated silently to match the new version of Flash. An update for Internet Explorer 10 on Windows 8 is also on the way.

Chrome, Firefox, Internet Explorer, Linux, Mac, Opera, Windows

Operating System and browser use statistics

Leave a comment

Ars Technica recently posted an interesting summary of usage stats for operating systems and web browsers on desktop, laptop, and mobile computing platforms.

Here are a few highlights:

  • Almost half of all computers are running Windows 7, and a third still run Windows XP.
  • Internet Explorer is used on over half of all computers.
  • There is still a sizable population of computers running Internet Explorer 6.
Internet Explorer, Microsoft, Patches and updates, Security, Windows

Internet Explorer flaw being actively exploited

1 Comment

Yesterday, Microsoft announced that they are looking into reports of a security vulnerability potentially affecting all versions of Internet Explorer. Apparently an exploit for this flaw exists and has been observed in the wild, targeting IE 8 and 9.

If you are using one of the affected browsers (likely all versions of Internet Explorer) and you visit a web site that has been compromised with malicious code that targets this vulnerability, an attacker might be able to execute arbitrary code on your computer remotely.

Microsoft issued security advisory 2887505 to warn and provide guidance to users. Workarounds include installing EMET and raising the security settings related to running ActiveX within the browser.

No patch for this vulnerability has yet been published by Microsoft, although there is a temporary ‘Fix-It’ solution available from Microsoft.

Update 2013Sep21: The SANS Internet Storm Center has been monitoring this issue. They have confirmed seeing related exploits in the wild. They also confirmed that Microsoft’s ‘Fix-It’ solution prevents these exploits, but only in 32-bit versions of Internet Explorer.

Update 2013Oct03: The developers of the controversial hacking toolkit Metasploit have released a module that exploits this IE vulnerability. This is likely to spur an increase in the number of attacks based on this vulnerability. Microsoft has yet to release a proper fix. If you use Internet Explorer for anything other than Windows Update, you should consider applying the temporary Fix-It solution or installing EMET (see above).