IE Zero-Day Vulnerability

Microsoft Security Advisory 2963983 – Vulnerability in Internet Explorer Could Allow Remote Code Execution – TechNet

General Information

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

More information in the full article. There is no patch. But Microsoft has given some recommendations which are easier to understand at Security Garden’s posting:

Recommendations

As illustrated in the “Security Research and Defense Blog” reference below, users of IE 10 and 11 should ensure they haven’t disabled Enhanced Protection Mode.

Another option is to install the Enhanced Mitigation Experience Toolkit (EMET). The recommended setting for EMET 4.1, available from KB Article 2458544, is automatically configured to help protect Internet Explorer. No additional steps are required.

See the Tech Net Advisory for instructions on changing the following settings to help protect against exploitation of this vulnerability:

  • Change your settings for the Internet security zone to high to block ActiveX controls and Active Scripting

  • Change your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

 

Those still using Windows XP on the Internet, please be aware:

VERY IMPORTANT FOR ANY HOLD OUT WINDOWS XP USERS

This is the first of the security vulnerabilities that DOES NOT include workarounds  for Windows XP. The oldest Windows noted as being affected are: Windows Server 2003 SP2 and Vista SP2.

IMPORTANT NOTE: Once a Microsoft product’s support has expired — as is true now about Windows XP SP3 since April 8, 2014 — Microsoft no longer lists it as affected by the vulnerabilities being patched. Microsoft only list Windows versions which are still under Mainstream Support or Extended Support. This has always been the case.

If anyone is still using Windows XP on the Internet (UNWISE!!), it would be strongly recommended to disallow IE (Internet Explorer) access to the Internet through your software firewall*, and use another browser like Firefox and Google Chrome which will still be getting updates for a time.

* Any Windows XP users still on the Internet should at least have:

  • a hardware router with Stateful Packet Firewall
  • should be using a ‘real’ software firewall as well as a good AV program. Just one good choice that will continue to support Windows XP is ESET’s Smart Security which is a very good antivirus and firewall. It is the one I use. It is not free. There are several free antivirus programs but not many free security suites.
  • block Internet Explorer through the ESET or other software firewall.
  • should be using a 3rd party browser like Mozilla Firefox with NoScript, Adblock Plus and WOT to help sort out safer search results on search engines, or Google Chrome with ScriptSafe, Adblock Plus and WOT Extension.
  • uninstall Java entirely, keep Adobe Flash religiously updated for Firefox as long as Adobe continues to provide them. Google Chrome updates Flash within itself. Might want to switch from Adobe Reader to Sumatra PDF reader which is a simple PDF viewer.
  • need to be even more careful than ever before about where you go. The bad guys will be looking with great anticipation for computers with expired Windows XP.
  • no risky behavior
  • no banking … note very soon banks will be disallowing expired Windows XP entirely anyway.

IMPORTANT: You can not block a program from getting out to the Internet with the Windows XP Firewall. It is only a one way firewall. It only monitors incoming Internet requests, instead of both ways as any real firewall including Windows 7 and Windows 8 built-in software firewalls do.

Here’s a quote from a ZDNet article:

To those planning to stick resolutely with the aged Windows XP operating system even after Microsoft ends support next year, the advice from experts is simple: Don’t do it.

Again: I would strongly suggest you get a new computer, upgrade your computer if it can be upgraded to a modern/still supported Windows such as Windows 7 or Windows 8, or get a Mac, or you could  convert/upgrade the computer to Linux or use a Linux LiveCD to visit the Internet and still use Windows XP as a standalone NOT CONNECTED TO THE INTERNET computer.

If you need help with any of this, please contact your computer guru, join a forums like Scot’s Newsletter Forums – BATL (Bruno’s All Things Linux) to ask questions, or you can use the contact info on my website  to contact me for some help.

Advertisements

New, sneakier Flashback malware infects Macs

New, sneakier Flashback malware infects Macs – Computerworld

A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.

Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.

But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.

“The differences are very subtle,” Peter James, a spokesman for Intego, said in an interview Tuesday. “There’s no password request [by Flashback.S].”

Much more in the two page article.

Apple will likely need to update their seek and destroy tool very quickly to help users stay free of this new variant.

If you think you are beginning to need an antivirus/antimalware solution, there are quite a few out there. Below are just a few:


Sophos Anti-Virus for Mac Home Edition
– Sophos has a worthy product out there and it is nice that they make their money on corporate/business computers and offer the home version for free.

ClamXav The Free Anti-Virus Solution for Mac OS X It uses the popular open source ClamAV engine as it’s back end and has the ability to detect both Windows and Mac threats.

There are other options as well for the Pay to Play crowd.

ESET Cybersecurity for Mac

And others from Intego Virus Barrier for Mac free and Pro versions available in the Mac App Store. Intego as noted above found this newest FlashBack in the wild). Other Mac antivirus firms Symantec/Norton, and many more.

Many of these come with a heavy CPU usage hit that is very annoying considering the small number of actual threats out there for the Mac. Of course some users may feel that the ones that provide real time protection are the way to go, some may feel it is worth it if their Macs are speedy enough and they have enough RAM.

For those who don’t think they need a Mac antivirus just yet, if you don’t use Java or none of your programs use Java, you could go to the ~/Applications/Utilities/Java Preferences.app and disable Java until you actually need it and then re-enable it as needed. It’s a very easy thing to do really.

Or you could set up AppleScript to monitor areas where malware might inject itself so it will alert you.

Monitor OS X LaunchAgents folders to help prevent malware attacks – CNET

Some additional locations to add can be found at MrAnderson.info here.

Also installing Piriform CCleaner for Mac is a great idea and can be run as needed very quickly every day even.

Certainly less of a system resource hit and one could still have a non-resident antivirus and scan at your convenience and respond if the Applescript tells you something is going on that you didn’t instigate by installing a program, etc.

The Applescript monitoring locations that you can set up is built with Mac OS X which is light on resources and free. The Applescript monitoring does a similar thing as WinPatrol does in Windows – but of course in a very small area comparatively. WinPatrol does so much more but the key similarity is the monitoring for changes to areas that malware can hit a Windows PC.

What we need for people who are not very savvy about these things is a MacPatrol app like WinPatrol.

Call Starkist

Newest MacDefender installs without password

[tweetmeme source=”franscomputerservices” only_single=false]Newest MacDefender scareware installs without a password (Computerworld)

Criminals ‘give Apple the finger,’ says security researcher, by releasing new version just hours after Apple warned of fake AV software

Joy…This just hours after Apple decided to finally help users defend against these fake AV scams, as well as provide a way to rid the Mac of the problem.

The article notes given the name of the new malware and the timing of its release, they definitely think it does seem like a reactionary message.

And the worst part … now no password needed. Or maybe the worst part will be the new spammer’s URL shortening scheme?

Spammers establish their own fake URL-shortening services (Help Net Security)
:

Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites.

These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.


Mac malware authors release a new, more dangerous version (ZDNet)
:

Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, “How to avoid or remove Mac Defender malware,” the company posted instructions for users to follow if they’ve encountered this malware specimen in the wild. It also promised a security update to remove infections automatically.

File that memo under, “Too little, too late.”

Yes….it does seem so.

If you want to keep your money Apple, you should be thinking about protecting your users a whole lot quicker than this from now on.

God help all Apple users, the gloves are off…be on your guard for MacGuard…

New Mac Malware – Is Mac no longer safer?

[tweetmeme source=”franscomputerservices” only_single=false]Update: 5/25/2011 – Updates to this posting from Computerworld and USAToday and Apple themselves in the form of a Support document to help users to remove the malware, and promise to provide a tool that will remove it and notify users if they attempt to download the malware. See details below.

With the equivalent of “Security Center 2011” now having a counterpart for the Mac called “MAC Defender, Mac Security, Mac Protector, or any number of knockoff names“, there is a lot of discussion as to how safe the Mac still is compared with Windows.

I have not seen any Windows variant of this type of malware that is as easy to remove from Windows as it is from the Mac.

Sure, Malwarebytes Antimalware will take care of it easily on Windows, even if you somehow are tricked through social engineering to click on it (it can get a little dicier depending on how far you let it get), but with the Mac, you just go to Applications, find Mac Defender and throw it in the trash and flush. What’s easier than that? Here‘s the full instructions in Bleeping Computer’s full removal instructions.

EDIT 5/25/2011 – IMPORTANT REMOVAL INFO: Apple has also now posted removal instructions including killing the process, removing the program, and stopping it from starting on boot, here. This was noted in Computerworld: Apple admits Mac scareware infections, promises cleaning tool and USAToday: Apple to issue Mac update to halt malware attacks, and Arstechnica: Apple acknowledges Mac Defender malware, promises software update, as well as likely other places on the web today.

The Computerworld article above notes:

Andrew Storms, director of security operations with nCircle Security, was surprised that Apple said it would embed a malware cleaning tool in Mac OS X.

“That’s new ground for Apple,” Storms said, pointing out that the move is a first for the company, which until now has only offered a bare-bones malware detection mechanism in Mac OS X 10.6, aka Snow Leopard, and then only populated it with a handful of signatures.

“Not only is Apple going to help customers remove [Mac Defender], but by doing so, they’re also admitting that there are security problems with Mac OS,” Storms said.

Even though it is very easy to remove, with Mac Defender out there, it does mean that malware, particularly on compromised websites, have begun to include other platforms. And you can bet others will follow. And they may not be as easy to remove.

So, does it mean Mac users should be installing Antivirus and/or Antimalware programs? I have, but according to the Wired.com article below:

Charlie Miller, a security researcher who has repeatedly won the annual Pwn2Own hacking contest by hacking Macs and iPhones, told Wired.com he doesn’t think so.

Ultimately, it’s up to the customer because there’s a trade-off involved. Anti-virus software will help protect your system from being infected, but it’s expensive, uses system memory and reduces battery life.

“Mac malware is still relatively rare, but is getting worse,” Miller said. “At some point soon, the scales will tip to installing antivirus, but at this point, I don’t think it’s worth it yet for most people.”

So how is this happening?

Browser choice and settings The first problem I see for Mac users is Safari and it’s settings. First for the same reason I rarely ever use Internet Explorer in Windows, I rarely use Safari on the Mac. Safari by default allows opening of files automatically after download. Bad move. This caused problems in the past with some ‘rogue’ Widgets a few years ago, but folks realized it was easy to fix this and turned it off under Safari preferences. With Safari open, Click Safari on the Menu bar, then click Preferences, on the first tab (General), at the bottom, untick Open ‘safe’ files after downloading. Personally, I prefer to use a variety of browsers, such as Firefox, Google Chrome, Opera for various things. Firefox and Chrome have some some great addons to help protect you. Opera has some as well.

Keeping programs up to date – Keeping Adobe Flash, Adobe Reader, and other addons/plugins, web browsers, and other software that touch the Internet up to date, as well as the operating system itself.

Paying attention The next biggest problem I see are people not paying close enough attention (regardless of their OS), and not familiarizing themselves with their OS as well as they could. This type of malware tries to replicate some sort of a security area on the OS to some degree and scare you into thinking they are finding malware on your system.

This type of malware requires you allow the installation.

On Windows computers, by clicking through the Administrator authentication box, and on the Mac by authenticating with your Admin password.

On Windows, way too many things ask for this kind of authentication (although it is better than it used to be), but on the Mac, which is more like UNIX/Linux in that regard, you are only asked when it could be a potential threat to the system like installing software that wants access to the system, or needs access to system areas. We should always be sure we know what is being installed and why before authenticating with our Admin password. Don’t have a password? Set one up under Accounts in the System Preferences today!

Search results People need to be able to tell the legitimate search results from the bogus ones that have managed to get into the top searches through Black Hat SEO technicques. If you don’t have a way to at least tell whether a site is good, bad or indifferent, it makes it so easy to click on the wrong one. There are programs that can help with this. They are not foolproof, use common sense as well. A free community based one is MyWOT and it works on Windows, Mac, and Linux. There are others that work on Windows as well from antivirus/firewall companies.

Keeping things cleaned up Having and using a temporary files cleaner. I run it after every single browser session, but every day or at worst case once a week would work as long as you don’t notice any issues or weirdness with your OS.

There is a good one for Windows called CCleaner (free and paid versions). For the Mac there are several available. I like MainMenu. It is not free, priced at $15 and a bit more for the Pro version. Main Menu is also available in the MacApp Store. Another favorite is free, OnyX.

You can find out more information about this “Mac Defender” malware in the following articles:

An AppleCare support rep talks: Mac malware is “getting worse” (at Ed Bott Microsoft Report on ZDNet (first article on it)

New Mac Malware Fools Customers, But Threat Still Relatively Small (Wired.com’s Gadget Labs)

Malware on the Mac: is there cause for concern? Ars investigates (Arstechnica)

Modern Mac owners need to ignore the dinosaurs and get protection (Hardware 2.0 at ZDNet)

Microsoft links fake Mac AV to Windows scareware gang (Computerworld)

Don’t Panic Over the Latest Mac Malware Story (SecurityWeek):

Now that we’ve established who benefits from Mac malware predictions — security companies and a certain type of IT professional — the second question is, do we care about the prediction that “serious” malware is coming to Macs? Only a little. It is true that Macs aren’t dusted with some sort of magic unicorn Unix-y pixie powder that makes it less vulnerable to security flaws than Windows. But it is equally true that the Mac remains a less risky platform than Windows because of the fewer strains of malware written for OS X. By “fewer” I mean 99% fewer: a hundred malware samples versus 50 million. The Mac also has a much less evolved malware supply chain. By “less evolved” I mean “nonexistent,” this one example notwithstanding.

And with that, I will close this topic for the time being…

EDIT added Bleeping Computer article on removal of Mac Defender and the last article from Hardware 2.0 at ZDNet and Microsoft links face Mac AV to Windows Scareware Gang at Computerworld and Don’t Panic Over the Latest Mac Malware Story at SecurityWeek.

Scot’s Newsletter Forums Celebrating their 8th Year!

[tweetmeme source=”franscomputerservices” only_single=false]Hard to believe that it has been 8 years since Scot Finnie — who is now the Editor in Chief of Computerworld — started a little experimental forum, Scot’s Newsletter Forums! Eight years later, it is still going strong.

I remember when the forums first started. Many of us were there from the beginning, or very nearly so. We were subscribers of Scot’s Newsletter when Scot announced to his subscribers.

I had been reading Scot Finnie’s articles since the old, now defunct WinMag days, and was saddened when they no longer published it. I lost track of Scot Finnie and a host of other writers for a time. I was very excited to hear about Scot Finnie and others who used to write for WinMag going on to have their own online/email newsletters and websites and finding them all over the place on the Internet.

The Scot’s Newsletter Forums has turned out to be a great place to gather, and help each other with various computer related issues, problems.

It’s a place where we SNF (Scot’s Newsletter Forums) “Highlanders” share our joys of success, and get help and understanding for our computer woes, and we have gained a level of friendship and community that is quite special, even among forums. I know that the SNF community literally reached out after the devastation of Hurricane Isabel, and physically and monetarily, as well as just emotional encouragement, helped us fix our roof — And I do mean physically. Some of the members who lived ‘near by’ actually traveled to our house with tools, materials and a willing spirit to help us put our roof back together. For those that wanted to help, but couldn’t come, they helped with providing funds to buy materials. It was a great blessing to us! And showed that even an Internet based community can be as real as any other community of neighbors, friends and family.

And all this while we work together with our various operating system situations whether it be Windows (ATW), Mac (ATM), and Linux (BATL) and other areas.

To help us celebrate the 8th year of Scot’s Newsletter Forums, ESET and WinPatrol have teamed up to help make the celebration all the more special by offering licenses to their great products in two different contests!

We really appreciate their generosity!!

Check out Corrine’s Security Garden posting about SNF 8th Anniversary as well; with even more information.

Happy 8th Anniversary Scot’s Newsletter Forums! It has been a wonderful thing to be a part of such a great ‘experiment’. 🙂