Entries with tag browser security.

Microsoft Issues Internet Explorer Patch for Windows XP Users

Despite ending support for Windows XP on 8 April, Microsoft has released a patch for an Internet Explorer (IE) flaw that will work for users of Windows XP, 7, and 8. The fix addresses a security issue for IE versions 6 through 11. According to Microsoft, the vulnerability affects the way IE accesses an object in memory that has been deleted or that has not been properly allocated. It could corrupt memory in a way that lets an attacker remotely execute arbitrary code in a user’s browser. Microsoft is continuing to ask customers using XP to upgrade to a newer Windows version and those using Internet Explorer to move to the latest iteration. (The Associated Press)(GeekWire)(Microsoft Security Response Center)

Mozilla Patches Vulnerabilities Exposed During Hacking Contest

The Mozilla Foundation has issued patches for five vulnerabilities discovered by researchers during the recent Pwn2Own hacking contest. The Foundation gave a total of $200,000 to the researchers for finding the flaws in applications including Firefox 28, Firefox on Android, and Firefox OS. Pwn2Own participants also found vulnerabilities in applications from other developers. (Computerworld)(Threat Post)

US-CERT: Those Remaining with Windows XP Should Update Browser

Individuals planning to continue working with Windows XP after Microsoft ends support on 8 April 2014 should use a browser other than Internet Explorer, according to a newly-released US Computer Emergency Readiness Team (US-CERT) bulletin. Microsoft ties support for its Internet Explorer browser on an operating system to the OS’s end-of-support date. Thus, Windows XP users will no longer get patches for IE7 or IE8, the last version that the operating system supported. Moreover, Microsoft will end its support for IE6 in April. Mozilla, on the other hand, has not indicated when it will discontinue Windows XP support. And Google says it will issue XP patches for Chrome through at least April 2015. Thus, US-CERT advised, “Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a Web browser other than Internet Explorer. The Windows XP versions of some alternative browsers will continue to receive support temporarily. Users should consult the support pages of their chosen alternative browser for more details.” (Computerworld)(US – CERT)

Microsoft yet to Patch Threatening Browser Exploit

Code that hackers can use to exploit an unpatched vulnerability in all Internet Explorer software has been released into the wild, potentially causing an uptick in threats against users. The CVE-2013-3893 exploit has been released in the Metasploit open source testing tool. The tool is designed for use by security professionals, but cybercriminals often use such publicly available code in their exploit kits. Most of the attacks to date using the Internet Explorer vulnerability have been against targets in Japan and Taiwan. The vulnerability can be triggered to execute code if an Internet Explorer user visits a compromised or malicious website. Microsoft has not yet released a permanent patch for the vulnerability, only a temporary “fix it.” The company’s next set of regular updates is scheduled for 8 October 2013. (CNET)(PC World)

Security Researchers Find that Hackers Increasingly Exploit Unpatched Browser Vulnerability

An unpatched vulnerability in all versions of Microsoft’s Internet Explorer browser is raising concerns as it poses what The SANS Institute’s Internet Storm Center called a “significant new threat” to Internet users. The Internet Storm Center elevated its Internet threat rating because of the vulnerability, based on increased evidence of exploits. Attacks are reportedly being launched against Internet Explorer 8 and 9, but the vulnerability affects all versions of Microsoft’s browser. Security vendor FireEye recently released a detail analysis of an ongoing campaign of attacks—based on the vulnerability—focused on Japanese organizations since August. The attacks compromise and install malware on Windows PCs. Microsoft—whose next scheduled patch release is 8 October—has not yet indicated when it will release a fix for the browser vulnerability. (Computerworld)(Internet Storm Center)(FireEye)

Microsoft Zero-Day Vulnerability Targets US Nuclear Researchers

Microsoft has confirmed that a zero-day vulnerability exists in all versions of Internet Explorer 8, the company’s most popular browser. Security researchers say hackers have used the vulnerability in attacks against US Department of Energy nuclear-weapons scientists as well as US Department of Labor employees. The DoE’s Site Exposure Matrices website, used for information related to illnesses in employees who work in developing or disarming nuclear weapons, was specifically targeted in a watering-hole attack. In these attacks, hackers use website flaws to implant malware, which infects subsequent visitors. One security expert says these types of attacks will be successful unless users begin utilizing advanced browser protection software, such as virtual containers. Similar recent attacks have affected the Council on Foreign Relations think tank, NBC, and Capstone Turbine, a renewable energy firm, according to NextGov, a news and analysis website for US federal IT managers. Microsoft indicated it will issue a fix for its browser vulnerability but has not said when. The company’s next regularly scheduled security update will be on 14 May. (Computerworld)(ZDNet)(NextGov)

Firefox Plans Default Blocking of Browser Plug-Ins

Mozilla has announced that its Firefox Internet browser will soon block all browser plug-ins—except Adobe Flash Player—by default. Mozilla says this will eliminate the exploitation of vulnerabilities that lead to “drive-by” downloads, which cripple unwitting users’ computers when they access an infected website. Hackers are increasingly targeting browser plug-ins such as Flash, Adobe Reader, and Java. Future iterations of Firefox will use the click-to-play approach, which asks users for approval each time they need a plug-in. Mozilla says this will improve browser performance and stability, in addition to adding security. (NBCNews.com)(Mozilla Security Blog)

Showing 7 results.