killatokes Posted December 17, 2008 Report Share Posted December 17, 2008 http://www.washingtonpost.com/wp-dyn/content/article/2008/12/16/AR2008121602378.html More From PCWorld.com » Microsoft Issues Emergency Security Patch For IE Microsoft is issuing an emergency patch for a critical Internet Explorer flaw. Microsoft will issue an emergency security patch Wednesday for all versions of Internet Explorer. The patch is considered a critical fix for the security flaw currently plaguing the IE browser. So far, more than 2 million computers are believed to have been infected. An advance notification of the patch published Tuesday describes it as protection for a "remote code execution" vulnerability. The move follows Microsoft's security advisory posted last Wednesday and updated Monday explaining the vulnerability and suggesting temporary "workarounds" for protection. The flaw can be used to let attackers steal personal data such as passwords if a user visits a compromised Web site, of which at least 10,000 are thought to already exist. Thus far, the vulnerability has been used primarily for grabbing gaming passwords for black market sales. The hole could, however, potentially also be used to steal more sensitive information such as banking passwords and other private information. Some security analysts had gone as far as to suggest all IE users switch to a competing browser until Microsoft found a suitable fix. Microsoft's emergency security patch will become available Wednesday at 1 p.m. EST at the Microsoft Update site as well as at the Microsoft Download Center. All users of IE5, 6, and 7 are advised to install it. A separate patch is expected to be made available for users of IE8 Beta 2. Expect to see far more detail by midday Wednesday when Microsoft officially issues its security bulletin. and more info here: http://www.guardian.co.uk/technology/2008/dec/16/internet Microsoft Internet Explorer users told to switch browsers over flawRichard Wray guardian.co.uk, Tuesday 16 December 2008 14.33 GMT Article historyUsers of Microsoft's Internet Explorer have been warned of a flaw that could let hackers gain access to their computers and steal personal data, and told them to swap to a rival browser. The flaw was spotted last week when hackers started attacking users of IE 7. The flaw, however, has also been found in earlier versions of Microsoft's browser, IE 5 and IE 6. Because IE is used by seven out of every ten computers in the world, the flaw is potentially very serious. So far, however, it only seems to have been used to steal computer game code from rival gamers. Microsoft is trying to put together a patch, but in the meantime computer users have been advised to update their security settings or switch to unaffected browsers such as Firefox or Opera. The latter scored highest in a recent set of tests of how browsers deal with password security, by security consultants Chapin Information Services. Firefox came second with IE mid-table. Google's new browser, Chrome, and Safari 3.2 for Windows tied in last place. The flaw in IE allows criminals to gain control of computers that have visited a website infected with malicious code designed to exploit it. While restricting web surfing to trusted sites should reduce the risk of infection, the malicious code can be injected into any website. Users do not have to click or download anything to become infected, merely visiting an infected website is sufficient. Antivirus software specialists Trend Micro believe as many as 10,000 sites have been hacked to exploit the flaw. Sites that have been compromised so far, however, are mostly Chinese and the attackers seem intent on stealing people's computer game passwords in order to sell them on the black market rather than looking for personal details such as bank accounts. It is known as a "zero-day" attack because it exploits a security vulnerability on the same day that the vulnerability became generally known. Usually there is a "window of vulnerability" between when the flaw is discovered and when the vendor issues a patch. The hope is that the vendor issues the patch before writers of so-called "malware" can exploit the flaw. If the malware writers have the flaw first, then the vendor has "zero days" to create a patch. "Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in IE," the company said in a security alert updated yesterday. "We are actively investigating the vulnerability that these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes." "On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs." What should Internet Explorer users do? • Change the program's internet zone security setting to "high". This should protect against all known exploits of this vulnerability by disabling scripting and disabling less secure features in IE. It is, however, likely to slow down a user's web experience. • Log out of your computer and create a new user account which has limited rights to change the PC's settings. Log in as that user. This should reduce the chances of anyone being able to exploit the flaw should your computer become infected. • Keep antivirus software up to date. This is likely to have only limited effect as most antivirus software packages only investigate files that are downloaded from the internet, rather than looking at every page visited. • Switch to another browser, preferably Firefox. This is by far the best option. ***scary stuff folks Link to comment Share on other sites More sharing options...
c-towns Posted December 17, 2008 Report Share Posted December 17, 2008 I haven't seen any other warnings of this other than here, anyone else confirm this? Link to comment Share on other sites More sharing options...
killatokes Posted December 17, 2008 Author Report Share Posted December 17, 2008 i originally saw this warning on Strombo's show last night, did a google search and came up with a ton of hits on this. it appears now that microsoft is planning a "quick fix" on this problem and NOT to switch browsers... but what else would they say? Link to comment Share on other sites More sharing options...
tigger Posted December 17, 2008 Report Share Posted December 17, 2008 this was on CNN on sunday as well . Link to comment Share on other sites More sharing options...
elemeno Posted December 17, 2008 Report Share Posted December 17, 2008 oh no a problem with a micorosft product! quick everyone turn your computers off and wait for the end of the world. Link to comment Share on other sites More sharing options...
questcequecest? Posted December 18, 2008 Report Share Posted December 18, 2008 i'm running vista, my computer won't shut down! Link to comment Share on other sites More sharing options...
CyberHippie Posted December 18, 2008 Report Share Posted December 18, 2008 (edited) I've been seeing the IE warnings everywhere... It's legit. It really should be moot, because people really shouldn't still be using IE anymore... Time to kick your M$ habits folks... Edited December 18, 2008 by Guest Link to comment Share on other sites More sharing options...
killatokes Posted December 18, 2008 Author Report Share Posted December 18, 2008 (edited) the stats on the one page suggested 6 out of 10 'puters in the world is running IE? i think? i'll admit it i was one of those 6... switched at about 5:20 am right AFTER the initial post. still working out the newness with Firefox but liking all the options and the better (maybe false) sense of security. edit to add: http://news.bbc.co.uk/2/hi/technology/7788687.stm Microsoft issues patch to fix IE Microsoft has issued a security patch to fix a critical vulnerability in its Internet Explorer browser it said has attacked over 2m Windows users.The flaw is believed to have already infected as many as 10,000 websites. The "zero day" exploit let criminals take over victims' computers by steering them to infected websites. Microsoft's Christopher Budd said the software giant "encourages all IE customers to test and deploy this update as soon as possible". He also said the threat lead Microsoft to mobilize security engineering teams worldwide to deliver a software cure "in the unprecedented time of eight days". MICROSOFT SECURITY ADVICE Change IE security settings to high (Look under Tools/Internet Options) Switch to a Windows user account with limited rights to change a PC's settings With IE7 or 8 on Vista turn on Protected Mode Ensure your PC is updated Keep anti-virus and anti-spyware software up to date The company's security response team said the patch consists of more than 300 distinct updates for more than half-a-dozen versions of IE in around 50 languages. "Even with that, the release Emergency Response process isn't over," said Security Response Alliance director Mike Reavey. "There is additional support to customers and additional refinement of our product development efforts." Microsoft stressed that the flaw was proven to exist only in IE 7 on all applicable versions of Windows, but that IE 6 and the "beta" release of IE 8 were "potentially vulnerable". Users who have automatic updates turned on will receive the patch over the next 24 hours while others can access it via a download. 'Wildfire' The AZN Trojan has been making the rounds since the beginning of December but became public knowledge in the last week . Unlike other exploits, users only have to visit a malicious site with Trojans or other malware in order to become contaminated. Once an infected web page is opened, malicious downloaders are installed on the computer designed to record keystrokes and steal passwords, credit card details and other financial information. The sites affected are mostly Chinese and have been serving up programmes to steal passwords for computer games which can then be sold for cash on the black market. Microsoft estimated that one in every 500 Windows users had been exposed to sites that try to exploit the flaw and the number of victims was increasing at a rate of 50% daily. Researchers at the software security firm Trend Micro said attacks were spreading "like wildfire". "This vulnerability is being actively exploited by cyber-criminals and getting worse every day," said the company's advanced threat researcher Paul Ferguson. Microsoft labelled the bug as "critical," the most serious threat ranking in its four-step scouring programme. Firefox update The update is something of an unusual move for Microsoft and underscores the seriousness of the zero day flaw. The company rarely issues security fixes for its software outside of its regular monthly patch updates. Meanwhile Mozilla has released a scheduled update for its open source Firefox web browsers for at least 10 different vulnerabilities. The bugs in the browser could have been "used to run attacker code and install software, requiring no user interaction beyond normal browsing," said Mozilla. It is also reissuing calls for users to upgrade from Firefox 2.0 to Firefox 3.0 as soon as possible and said it is "not planning any further security and stability updates for Firefox 2". This means Mozilla will no longer support the Firefox 2 browser against future online scams and attacks. holy smokes!: "Microsoft estimated that one in every 500 Windows users had been exposed to sites that try to exploit the flaw and the number of victims was increasing at a rate of 50% daily." you would think something so seemingly widespread would be better publicized in the sense of alerts and such. Edited December 18, 2008 by Guest Link to comment Share on other sites More sharing options...
backbacon Posted December 18, 2008 Report Share Posted December 18, 2008 • Switch to another browser, preferably Firefox. This is by far the best option.I pretty much only read that one line and am now using Firefox 3.0.5. I guess I'm all set now? Link to comment Share on other sites More sharing options...
LXQ42 Posted December 18, 2008 Report Share Posted December 18, 2008 I hope so, cuz that's exactly what i did....I used firefox already, but upgraded to the newest version....wow..paranoia will desroy ya.... Link to comment Share on other sites More sharing options...
jayr Posted December 18, 2008 Report Share Posted December 18, 2008 • Switch to another browser' date=' preferably Firefox. This is by far the best option.[/quote']I pretty much only read that one line and am now using Firefox 3.0.5. I guess I'm all set now?ditto Link to comment Share on other sites More sharing options...
killatokes Posted December 19, 2008 Author Report Share Posted December 19, 2008 i'm liking firefox as well. i did put the IE skin on it though i have a question though... why, when i go to add/remove programs am i not able to uninstall IE? Link to comment Share on other sites More sharing options...
Esau. Posted December 19, 2008 Report Share Posted December 19, 2008 (edited) http://support.mozilla.com/Uninstalling+Internet+Explorer [color:red][edit to add] Its sorta funny to see all the hoopla about this and folks scrambling to use firefox. Makes ya wonder why folks didnt switch when it happened in 2006 (M$ excel "zero-day" flaw) or even when it happened back in january of this year? (also an excel "zero-day" flaw). It's not like it was kept under wraps until now. Edited December 19, 2008 by Guest Link to comment Share on other sites More sharing options...
backbacon Posted December 19, 2008 Report Share Posted December 19, 2008 I guess it was kept under wraps enough for me not hear about it before. Link to comment Share on other sites More sharing options...
mattm Posted December 19, 2008 Report Share Posted December 19, 2008 I don't use IE unless I have to. Firefox is great and I think it's much better. Once you start playing around with it and customizing things a little it's almost impossible to go back. For example, say you have some sites you go to all the time but have a long address, something on the lines of: http://jambands.ca/sanctuary/showforum.php?fid/11/ Well, you can go to the page, bookmark and you're golden. Now, add firefox and you can be even better off. Head into your bookmarks, right click on the one you just made and give it a keyword (lets say jambands). Now go to your address bar and type the keyword (jambands in this case) and there's your page... Rogers Users: Firefox used to be pretty good at figuring out what site you were looking for. If you typed jambands in the address bar (and didn't have it set as a keyword to a bookmark), it would search google using I'm feeling luck (usually the top search result but I'm feeling lucky brings you straight to the page instead of a search results page). Well, rogers has recently decided to change that. Now, if rogers sees that the page you asked for doesn't exist, it will spit back it's own search page (of course filled with ads) instead of the error (it's the error that firefox waits for before searching google for you). Search google for a way to fix this Link to comment Share on other sites More sharing options...
mattm Posted December 19, 2008 Report Share Posted December 19, 2008 Also to add:IE has always been full of holes, I like to think of it like a spaghetti strainer, always have. Firefox has also had some security problems but not near as many and for the most part they can be prevented (as in the statement by the mozilla people that it might have been in firefox but it could never install the stuff automatically without your approval).I'm not sure why a lot of people don't know about IE but I think it's mostly due to lack of caring much about learning security related computer stuff. If you don't have an IT background, it's much easier to just use IE and you are also much less likely to read IT papers. For that main reason it's also attacked much harder (same with windows) than it's competitors because it has a much higher percentage of oblivious folks using it.If you find it offensive when I say oblivious folks then don't as the oblivious folks are by far in the majority and there's nothing wrong with it (you should be able to be oblivious about these things if software is built correctly and works properly, especially if the software is geared to general use and the general public). Link to comment Share on other sites More sharing options...
ollie Posted December 19, 2008 Report Share Posted December 19, 2008 Put on your tinfoil hats everybody! Link to comment Share on other sites More sharing options...
Esau. Posted December 19, 2008 Report Share Posted December 19, 2008 I guess it was kept under wraps enough for me not hear about it before. I wasn't actually refering to anyone in this thread, just in general from reading the news articles posted & numerous other mentions in media (TV, radio microsofts website etc)and some tech sites, there is a lot more people then the few in this thread out there jumping to firefox. But now that you bring it up... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now