Patch Tuesday Sounds the Death Knell for XP

Patch Tuesday Sounds the Death Knell for Win XP – Graham Cluley – Lumension Blog

So this is it.

The big one.

We’ve had false starts before, but this time Microsoft really *are* going to tell the world about security vulnerabilities in Windows and *not* patch them in XP.

As soon as Microsoft releases its regular bundle of security patches later today, the clock starts ticking.

Because malicious hackers and penetration testers will be exploring how they can reverse-engineer Microsoft’s fixes in more modern versions of Windows to see if they can be exploited on the no-longer-supported Windows XP.

And, trust me, although the numbers are falling – there are still plenty of home users and businesses running computers on Windows XP.

Much more in the article.

And Graham Cluley is right … Microsoft is NOT patching Windows XP this time for this critical IE/Internet Explorer vulnerability like they did May 1. However, they did patch many other things.

Oh, and don’t forget your Adobe updates for Flash, Reader, and more!

NOTE: Windows XP still garners 26.29% of total NetMarketShare – Choose Operating System by Version. Windows 7 is at 49.27% Between them Windows 7 and Windows XP hold 3/4 of all the global market share. Every other OS fits in the last 1/4 of the Operating System by Version pie.

Malware infections tripled in late 2013 thanks to sneaky browser plugin, Microsoft says

Malware infections tripled in late 2013 thanks to sneaky browser plugin, Microsoftsays – PCWorld

A three-fold increase in Microsoft Windows computers infected with malicious software in late 2013 came from an application that was for some time classified as harmless by security companies.

The finding comes as part of Microsoft’s latest biannual Security Intelligence Report (SIR), released on Wednesday, which studies security issues encountered by more than 800 million computers using its security tools.

Microsoft has added detection of this malicious piece of crap to it’s  Malicious Software Removal Tool (MSRT), and let others know about it as well back in December 2013 according to the article.

Critical Java SE update due Tuesday fixes 40 flaws

Critical Java SE update due Tuesday fixes 40 flaws – The Reg

And yes, most are remotely exploitable

According to Oracle’s security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX.

Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password.

Oracle plans to release its latest Java SE Critical Patch Update on June 18, 2013.

Watch for it and install it if you have Java installed on your system. If you are sure you don’t need Java for anything, it would be best to uninstall it or disable it until the update, or at least disable Java in your browsers.

IE10 is now available for Windows 7 – Finally

IE10 is now available for Windows 7 – Finally!!

It is great news that the most modern Internet Explorer browser will now be available for Windows 7.

Before today, IE10 was only available for Windows 8 and that only since about October 2012.

In SecurityGarden’s posting about this:

Key Improvements

Key improvements in IE9 include improved performance, security, and privacy.  Of major significance are the results of the independent testing conducted by NSS Labs, referenced below, in which IE10 with App Rep had a mean malware block rate of 99.1%.

More about CPU, Windows 7 32/64 bit requirements, check to see if your computer is 32-bit or 64-bit by clicking a link on the article,  and of course the download links, and more, all on SecurityGarden’s posting.

Oh, another cool feature of IE10, is one that is already built into Google Chrome. Flash is incorporated within IE10 and updated within the browser. Hopefully that will work out well over time for both browsers. And hopefully they will not fall down on their vigilance in being very fast in getting the Flash updates incorporated as they are released.

Disable Java – Windows, Mac, Linux

US Department of Homeland Security advises disabling Java following fresh zero-day vulnerability – The Verge

A new Trojan horse has been discovered that exploits a flaw found in Java, leaving computers running Windows, Mac OS, and Linux vulnerable to attack. Mal/JavaJar-B allows attackers to remotely trigger code once it infects a system, potentially leading to the installation of malware, or even ransomware. Oracle hasn’t yet patched the vulnerability, which targets even the latest version of Java.

US-CERT RECOMMENDS THAT USERS DISABLE JAVA IN WEB BROWSERS

Apple has already taken care of this on the Mac by updating to disallow all Java except including the new one that hasn’t even been released yet. Excellent move from Apple.

Firefox and Google Chrome has had you click to even use Java for awhile now. From my experience, I believe that includes the current version of Java as well. As noted above, Firefox now includes the current version of Java in their blacklist. You have to personally choose to actually use Java using their Click to Play feature. Thank you Mozilla!

Google Chrome has instituted on December 21, 2012, noted in their blog posting, a feature that disallows silent extension addon installations. I believe this is something that Mozilla did some time ago when they experienced problems with it. Or maybe not.

So you will definitely want to disable Java in all browsers in Windows, Linux and on the Mac just to be safe for now.

Internet Explorer now allows you to disallow plugins by default and only allow those you specifically allow. But if you have allowed Java in the past, you will want to disable it:

How to Disable Java – PCMag

The PCMag article gives instructions for all the main browsers. Check it out and please for your sake don’t use a browser for general use that allows Java at least for now.

Disable it in at least one browser that you can use for general purpose use.

Whichever method you choose, visit the Java test page at http://java.com/en/download/testjava.jsp to confirm that Java is disabled. Yes, you’ll occasionally run across a website that relies on Java. If necessary, you can temporarily enable Java for those sites. But you may be surprised at how little you miss it.

More here at Security Garden, Dottech.org (How to/tutorial with images) and Venture Beat as well.

I have Java totally disallowed in my main browser, and enabled in one of my other browsers so I can still go to Secunia.com to use their OSI (Online Security Inspector) to check plugins and Internet facing programs. I also compare that with Firefox’s plugin checker. This in Windows. On my Mac, I have Java disabled in all but one browser and turn Java on and off as needed overall. In Linux Java is also disabled in my main browser.

This is very important until Oracle gets this updated and is quick to fix these vulnerabilities.

Oracle really needs to get on the stick before they and all the programs that make use of them are made obsolete! And there are millions of them!!!

EDIT: As of 1/11/2013 – Added Mozilla’s and Apple’s change to include blacklisting of the current version of Java due to the Trojan affecting even the current version of Java. See the info earlier in the posting.

Oracle to stop patching Java 6 in February 2013

Oracle to stop patching Java 6 in February 2013 – Computerworld

The article notes that of course this will be a hardship for Mac OS X Snow Leopard users and for users of earlier versions of OS X, but that is not as far as this rabbit hole goes. Very good article. Well worth a read.

That will leave a significant portion of Mac users without the means to run an up-to-date Java next year. According to Web metrics company Net Applications, approximately 41% of all Macs still run versions of OS X older than Lion.

Apple will presumably issue the final OS X patches for Java 6 in February alongside Oracle’s update.

It will also be hard on businesses, and even government agencies and departments, that will now be forced to work over their Java based programs to make sure they will still work with the current versions of Java 7.

That also means that Oracle themselves will have to update their Forms and Reports (or maybe these are things built by the companies using them too), to work with Java 7 so companies and some government agencies and departments can allow vendors that provide service and products to them. Currently, many of them must make use of Oracle Forms and Reports built on Java 6 from a special site like the MyInvoice subdomain that the government military still uses. That site requires a later version of Java 6 even now. This puts them and their vendors at risk by requiring an old Java on their systems in order to even work with them.

And what about the medical community. I have seen them falling down on the job as well on keeping up with the version of Java that physicians must use on their computers in order to read X-Rays remotely from home or on the road.

The article further is concerned about even upgrading to Java 7:

On Tuesday, Polish researcher Adam Gowdiak, who reported scores of Java vulnerabilities to Oracle this year, told the IDG News Service, “Our research proved that Java 7 was far more insecure than its predecessor version. We are not surprised that corporations are resistant when it comes to the upgrade to Java 7.”

Now that is sad news indeed. There are many sites that make use of Java and with good reason! Even Android is based on Linux — C,C++ and Java. As are many embedded systems, phones, and many electronic devices around the home.

Oracle needs to fix this problem and their Java. If they are going to be the owner of Java, they need to do better with the Java programming language that companies are not concerned about moving to their Java 7! So many programming eco systems out there depend on Java.

They inherited Java and the huge eco systems that depend on them, and base of users when they bought out Sun Microsystems. They can’t make swiss cheese with a door and think people will be be fine with this. Even things like OpenOffice.org and LibreOffice depend on Java — thankfully the current Java, but even that is according to this article, problematic. And what about all the embedded devices that depend on Java? When you install Java and are waiting for it to install, Oracle proudly talks about the billions of devices, that run Java. Oracle’s Java.com About page proudly states:

To date, the Java platform has attracted more than 9 million software developers. It’s used in every major industry segment and has a presence in a wide range of devices, computers, and networks.

Java technology’s versatility, efficiency, platform portability, and security make it the ideal technology for network computing. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!

  • 1.1 billion desktops run Java
  • 930 million Java Runtime Environment downloads each year
  • 3 billion mobile phones run Java
  • 31 times more Java phones ship every year than Apple and Android combined
  • 100% of all Blu-ray players run Java
  • 1.4 billion Java Cards are manufactured each year
  • Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

To see places of Java in Action in your daily life, explore java.com.

The bold on the bullet list above is mine.

Oracle really needs to wake up now before they totally destroy the great reputation that Sun Microsystems had when they conceived and built so much with Java. And all for nothing!

Trust is a terrible thing to waste.

 

 

New Mac Malware – Is Mac no longer safer?

[tweetmeme source=”franscomputerservices” only_single=false]Update: 5/25/2011 – Updates to this posting from Computerworld and USAToday and Apple themselves in the form of a Support document to help users to remove the malware, and promise to provide a tool that will remove it and notify users if they attempt to download the malware. See details below.

With the equivalent of “Security Center 2011” now having a counterpart for the Mac called “MAC Defender, Mac Security, Mac Protector, or any number of knockoff names“, there is a lot of discussion as to how safe the Mac still is compared with Windows.

I have not seen any Windows variant of this type of malware that is as easy to remove from Windows as it is from the Mac.

Sure, Malwarebytes Antimalware will take care of it easily on Windows, even if you somehow are tricked through social engineering to click on it (it can get a little dicier depending on how far you let it get), but with the Mac, you just go to Applications, find Mac Defender and throw it in the trash and flush. What’s easier than that? Here‘s the full instructions in Bleeping Computer’s full removal instructions.

EDIT 5/25/2011 – IMPORTANT REMOVAL INFO: Apple has also now posted removal instructions including killing the process, removing the program, and stopping it from starting on boot, here. This was noted in Computerworld: Apple admits Mac scareware infections, promises cleaning tool and USAToday: Apple to issue Mac update to halt malware attacks, and Arstechnica: Apple acknowledges Mac Defender malware, promises software update, as well as likely other places on the web today.

The Computerworld article above notes:

Andrew Storms, director of security operations with nCircle Security, was surprised that Apple said it would embed a malware cleaning tool in Mac OS X.

“That’s new ground for Apple,” Storms said, pointing out that the move is a first for the company, which until now has only offered a bare-bones malware detection mechanism in Mac OS X 10.6, aka Snow Leopard, and then only populated it with a handful of signatures.

“Not only is Apple going to help customers remove [Mac Defender], but by doing so, they’re also admitting that there are security problems with Mac OS,” Storms said.

Even though it is very easy to remove, with Mac Defender out there, it does mean that malware, particularly on compromised websites, have begun to include other platforms. And you can bet others will follow. And they may not be as easy to remove.

So, does it mean Mac users should be installing Antivirus and/or Antimalware programs? I have, but according to the Wired.com article below:

Charlie Miller, a security researcher who has repeatedly won the annual Pwn2Own hacking contest by hacking Macs and iPhones, told Wired.com he doesn’t think so.

Ultimately, it’s up to the customer because there’s a trade-off involved. Anti-virus software will help protect your system from being infected, but it’s expensive, uses system memory and reduces battery life.

“Mac malware is still relatively rare, but is getting worse,” Miller said. “At some point soon, the scales will tip to installing antivirus, but at this point, I don’t think it’s worth it yet for most people.”

So how is this happening?

Browser choice and settings The first problem I see for Mac users is Safari and it’s settings. First for the same reason I rarely ever use Internet Explorer in Windows, I rarely use Safari on the Mac. Safari by default allows opening of files automatically after download. Bad move. This caused problems in the past with some ‘rogue’ Widgets a few years ago, but folks realized it was easy to fix this and turned it off under Safari preferences. With Safari open, Click Safari on the Menu bar, then click Preferences, on the first tab (General), at the bottom, untick Open ‘safe’ files after downloading. Personally, I prefer to use a variety of browsers, such as Firefox, Google Chrome, Opera for various things. Firefox and Chrome have some some great addons to help protect you. Opera has some as well.

Keeping programs up to date – Keeping Adobe Flash, Adobe Reader, and other addons/plugins, web browsers, and other software that touch the Internet up to date, as well as the operating system itself.

Paying attention The next biggest problem I see are people not paying close enough attention (regardless of their OS), and not familiarizing themselves with their OS as well as they could. This type of malware tries to replicate some sort of a security area on the OS to some degree and scare you into thinking they are finding malware on your system.

This type of malware requires you allow the installation.

On Windows computers, by clicking through the Administrator authentication box, and on the Mac by authenticating with your Admin password.

On Windows, way too many things ask for this kind of authentication (although it is better than it used to be), but on the Mac, which is more like UNIX/Linux in that regard, you are only asked when it could be a potential threat to the system like installing software that wants access to the system, or needs access to system areas. We should always be sure we know what is being installed and why before authenticating with our Admin password. Don’t have a password? Set one up under Accounts in the System Preferences today!

Search results People need to be able to tell the legitimate search results from the bogus ones that have managed to get into the top searches through Black Hat SEO technicques. If you don’t have a way to at least tell whether a site is good, bad or indifferent, it makes it so easy to click on the wrong one. There are programs that can help with this. They are not foolproof, use common sense as well. A free community based one is MyWOT and it works on Windows, Mac, and Linux. There are others that work on Windows as well from antivirus/firewall companies.

Keeping things cleaned up Having and using a temporary files cleaner. I run it after every single browser session, but every day or at worst case once a week would work as long as you don’t notice any issues or weirdness with your OS.

There is a good one for Windows called CCleaner (free and paid versions). For the Mac there are several available. I like MainMenu. It is not free, priced at $15 and a bit more for the Pro version. Main Menu is also available in the MacApp Store. Another favorite is free, OnyX.

You can find out more information about this “Mac Defender” malware in the following articles:

An AppleCare support rep talks: Mac malware is “getting worse” (at Ed Bott Microsoft Report on ZDNet (first article on it)

New Mac Malware Fools Customers, But Threat Still Relatively Small (Wired.com’s Gadget Labs)

Malware on the Mac: is there cause for concern? Ars investigates (Arstechnica)

Modern Mac owners need to ignore the dinosaurs and get protection (Hardware 2.0 at ZDNet)

Microsoft links fake Mac AV to Windows scareware gang (Computerworld)

Don’t Panic Over the Latest Mac Malware Story (SecurityWeek):

Now that we’ve established who benefits from Mac malware predictions — security companies and a certain type of IT professional — the second question is, do we care about the prediction that “serious” malware is coming to Macs? Only a little. It is true that Macs aren’t dusted with some sort of magic unicorn Unix-y pixie powder that makes it less vulnerable to security flaws than Windows. But it is equally true that the Mac remains a less risky platform than Windows because of the fewer strains of malware written for OS X. By “fewer” I mean 99% fewer: a hundred malware samples versus 50 million. The Mac also has a much less evolved malware supply chain. By “less evolved” I mean “nonexistent,” this one example notwithstanding.

And with that, I will close this topic for the time being…

EDIT added Bleeping Computer article on removal of Mac Defender and the last article from Hardware 2.0 at ZDNet and Microsoft links face Mac AV to Windows Scareware Gang at Computerworld and Don’t Panic Over the Latest Mac Malware Story at SecurityWeek.

New Flash Player Zero Day

[tweetmeme source=”franscomputerservices” only_single=false]ZDNet reports, Adobe warns of new Flash Player zero-day attack:

Hackers are embedding malicious Flash Player files in Microsoft Word documents to launch targeted attacks against select businesses, according to a warning from Adobe.

These are being used to steal secrets from corporations, likely through downloaded and emailed MS Word documents such as Excel.

Adobe is working on patches for Flash 10.2.x and for earlier versions as well, for just about every OS out there.

Adobe Reader X protected mode will “prevent an exploit of this kind from executing.” The actual fix won’t come till their normal patch cycle in June for Adobe Reader. So be sure to get the latest version (Adobe Reader X)!

Much more in the article including information and links to Adobe’s security release.

Lizamoon and Epsilon breach

[tweetmeme source=”franscomputerservices” only_single=false]There are two major things that users need to be aware of right now, as if there weren’t enough already. 😉

One affects email and the other affects browsing/surfing the Internet. Both bad news, and we all need to be very aware of what has happened and why we have to be very vigilant in making sure we don’t click on links in email, open attachments sent in email, or respond to potential unexpected boxes and requests while surfing the Internet.

Financial and payment services are the biggest areas being hit right now, and will continue to be so much more effective and dangerous due to the current economy while people scramble to survive around the world.

Targeted Sectors Q2 2010 - Anti-Phishing Working Group (APWG)

Targeted Sectors Q2 2010 - Anti-Phishing Working Group (APWG)

Lizamoon/LizaMoon drive-by rogue malware infection

Lizamoon is a drive-by rouge antimalware or antivirus download infection. Thankfully you generally have to take some action to allow it to install as noted by Fred Langa in the comp copy of WindowsSecrets.com newsletter in his article entitled, “LizaMoon infection: a blow-by-blow account“. Must read!

The most important takeaway is that Fred said he had to take action on four separate occasions before the infection took place:

On the other hand, deliberate choices and actions by a user can defeat any software. LizaMoon required my active, voluntary involvement four different times before the infection took hold.

LizaMoon wasn’t even subtle: I had plenty of warnings and opportunities to abort the process, the malware itself provided abundant clues to its own bogus nature (such as an inability to keep its aliases straight).

Much more in the article. A must read for all who surf the Internet to be able to identify this rogue drive-by infection when it happens/if it happens.

The biggest takeaway:We can prevent these types of things by being aware and not clicking on things just because they are presented to us while surfing the Internet.

Epsilon breach – Spear Phishing attacks

Epsilon is an outsourcing marketing company for many big companies/banks. They have a huge database of people’s email addresses, names and the company or bank associated with each email address. This makes the spear phishing, generally a very effective social engineering technique and can make their attacks via email so much more effective…mainly because they know the email addresses are real, and more importantly they can link the real name and the actual company/bank connected the email address.

Computerworld reports, “Security experts today warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.”

Brian Krebs (KrebsOnSecurity) and Heise Online Security report,

Epsilon has now confirmed that approximately 2 per cent of its total clients were affected. According to a blog post by security blogger Brian Krebs, financial services company Visa and American Express (Amex) say that they were not impacted by the Epsilon breach. However, the following banks, service providers and online retailers are said to have been affected:

1-800-FLOWERS
AbeBooks
Air Miles (Canada)
Ameriprise Financial
Barclay’s Bank of Delaware
Beach Body
Bebe Stores
Best Buy
Benefit Cosmetics
Brookstone
Capital One
Chase
Citigroup
City Market
College Board
Dillons
Disney Destinations
Eddie Bauer
Eileen Fisher
Ethan Allen
Euro Sport (Soccer.com)
Food 4 Less
Fred Meyer
Fry’s Electronics
Hilton Honors Program
Home Depot Credit Card (Citibank Editor)
Home Shopping Network
JPMorgan Chase
Kroger
Marks and Spencer
Marriott
McKinsey Quarterly
MoneyGram
New York & Co.
QFC
Ralph’s
Red Roof Inns
Ritz-Carlton
Robert Half International
Smith Brands
Target
TD Ameritrade
TiVo
U.S. Bank
Walgreen’s

Much more in these articles, must read, as well as others on the web including WashingtonPost, eWeek, BBC, and others.

The biggest takeaway: Don’t believe everything you see in email. Don’t trust links or downloads in email. Check with the person who sends it before opening any downloads and don’t give out information from your bank, and other sites, etc. unless you can confirm it definitely came from them. You can always go to the site directly from your own bookmarks/favorites and login to ensure you get to the right place. Don’t use their links in email unless you can verify it’s really from the company. In fact, one can get into trouble and get further compromised by clicking on links in email.

Side note: this is why I do not view email as HTML. So much can be hidden behind all the pretty pictures and code.

And be prepared. Keep your antivirus software and antimalware program as well, clear your Internet cache frequently. If you suspect you have been hit with one of these rogue antivirus/antimalware attacks, unplug the Internet/network cable from your computer to prevent further harm and take appropriate action by running Malwarebytes Antimalware, CCleaner (or other temporary Internet cleaner program you use), and then a scan with your antivirus software and take whatever recommended action they call for. Links to these programs provided on our Resources page.

If you make sure both of these are updated before you surf for the day, you will be in a much better situation should you somehow get hit with something.

And do your backups, and have an image of your OS to restore from if it becomes necessary. Windows 7 makes this very easy to do with their built-in image creator and backups, and system repair disk.

Internet Explorer Search Bar Malware Hijack

[tweetmeme source=”franscomputerservices” only_single=false]Recently, the Google Gala malware has been hijacking the Google Search engine in Internet Explorer’s Search Bar. In addition, Fast Browser Searching apparently has been being installed through some means and stealing the Google Homepage of other users.

Google Gala and Fast Search hijacks is nothing new, but they are making a serious comeback. I am not sure how they are injecting themselves into the Google Search on IE8 Search Bar, but they definitely are corrupting the Google Search engine in the IE8 Search Bar. This has been known to happen in Firefox in the past as well. And who knows how long it will be till Google Chrome and other browsers will be hit the same way, if not already.

Browser makers need to harden their Search Bar against this type of attack, but until they do, we have to take matters into our own hands.

If you feel the need to use Internet Explorer, I would strongly suggest hiding or removing the IE8 Search Box and going directly to Google website instead.

As shown at w7forums link above, to hide/remove the IE8 Search Box:

Start -> run -> gpedit.msc

Or better yet, change to an alternative browser, like Google Chrome or Mozilla Firefox.

The advantages of Google Chrome with built-in Flash player that is updated automatically through Google Chrome’s update mechanism is quite attractive. In addition, Google Chrome is fast to load and now has extensions such as Adblock Plus, WOT, FlashBlock and others, like Mozilla Firefox has had for a long time. In addition, Google Chrome has a built-in ‘sandbox’ feature which can save a world of hurt while browsing the web. Although it is not perfect, it is a great feature.

I have to say for years now, I have not used any built-in browser search bar. I go directly to the Google website, or other favorite search engine websites directly. I would suggest that, until browser developers harden their search bars, it would be wise to not make use of search bars for searching.

In addition, I would strongly suggest you install and run, CCleaner frequently. Close your browser after every use and right click on the Recycle Bin and choose Run CCleaner after every use of the browser.

If you do get hit with malware like Security Shield for any reason, but especially in this case, due to the redirection/hijack of search results in the IE8 Search Bar, you will need to use rkill or the Task Manager (if available) to find/kill the Security Shield oddball named process and then update and run Malwarebytes Antimalware to get rid of related registry entries, hidden files, etc., as shown at BleepingComputers Forum Security Shield (Uninstall Guide).

Or call your computer expert to help you with removal of the malware.

The most important thing is not to continue to use the computer on the Internet until it is removed to keep from getting hit with more malware. Redirection to malware sites posing as legitimate websites and searches is a strong possibility while infected with malware.

EDIT: I started writing this post yesterday morning and got it published at 12:06PM. Within hours, there was a security advisory by Microsoft and articles about:

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is investigating new public reports of a vulnerability in MHTML on all supported editions of Microsoft Windows. This vulnerability manifests itself in Internet Explorer.

Is this a security vulnerability that requires Microsoft to issue a security update?
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process, or providing an out-of-cycle security update, depending on our customer needs.

What is MHTML?
MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content. The MHTML protocol handler in Windows provides a pluggable protocol (MHTML:) that permits MHTML encoded documents to be rendered in applications.

What causes this threat?
The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s Internet Explorer instance. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker could convince a user to click a specially crafted link that would inject a malicious script in the response of the Web request.

Sure sounds like this may be the problem I was writing about in this posting.