IE Zero-Day Vulnerability

Microsoft Security Advisory 2963983 – Vulnerability in Internet Explorer Could Allow Remote Code Execution – TechNet

General Information

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

More information in the full article. There is no patch. But Microsoft has given some recommendations which are easier to understand at Security Garden’s posting:

Recommendations

As illustrated in the “Security Research and Defense Blog” reference below, users of IE 10 and 11 should ensure they haven’t disabled Enhanced Protection Mode.

Another option is to install the Enhanced Mitigation Experience Toolkit (EMET). The recommended setting for EMET 4.1, available from KB Article 2458544, is automatically configured to help protect Internet Explorer. No additional steps are required.

See the Tech Net Advisory for instructions on changing the following settings to help protect against exploitation of this vulnerability:

  • Change your settings for the Internet security zone to high to block ActiveX controls and Active Scripting

  • Change your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

 

Those still using Windows XP on the Internet, please be aware:

VERY IMPORTANT FOR ANY HOLD OUT WINDOWS XP USERS

This is the first of the security vulnerabilities that DOES NOT include workarounds  for Windows XP. The oldest Windows noted as being affected are: Windows Server 2003 SP2 and Vista SP2.

IMPORTANT NOTE: Once a Microsoft product’s support has expired — as is true now about Windows XP SP3 since April 8, 2014 — Microsoft no longer lists it as affected by the vulnerabilities being patched. Microsoft only list Windows versions which are still under Mainstream Support or Extended Support. This has always been the case.

If anyone is still using Windows XP on the Internet (UNWISE!!), it would be strongly recommended to disallow IE (Internet Explorer) access to the Internet through your software firewall*, and use another browser like Firefox and Google Chrome which will still be getting updates for a time.

* Any Windows XP users still on the Internet should at least have:

  • a hardware router with Stateful Packet Firewall
  • should be using a ‘real’ software firewall as well as a good AV program. Just one good choice that will continue to support Windows XP is ESET’s Smart Security which is a very good antivirus and firewall. It is the one I use. It is not free. There are several free antivirus programs but not many free security suites.
  • block Internet Explorer through the ESET or other software firewall.
  • should be using a 3rd party browser like Mozilla Firefox with NoScript, Adblock Plus and WOT to help sort out safer search results on search engines, or Google Chrome with ScriptSafe, Adblock Plus and WOT Extension.
  • uninstall Java entirely, keep Adobe Flash religiously updated for Firefox as long as Adobe continues to provide them. Google Chrome updates Flash within itself. Might want to switch from Adobe Reader to Sumatra PDF reader which is a simple PDF viewer.
  • need to be even more careful than ever before about where you go. The bad guys will be looking with great anticipation for computers with expired Windows XP.
  • no risky behavior
  • no banking … note very soon banks will be disallowing expired Windows XP entirely anyway.

IMPORTANT: You can not block a program from getting out to the Internet with the Windows XP Firewall. It is only a one way firewall. It only monitors incoming Internet requests, instead of both ways as any real firewall including Windows 7 and Windows 8 built-in software firewalls do.

Here’s a quote from a ZDNet article:

To those planning to stick resolutely with the aged Windows XP operating system even after Microsoft ends support next year, the advice from experts is simple: Don’t do it.

Again: I would strongly suggest you get a new computer, upgrade your computer if it can be upgraded to a modern/still supported Windows such as Windows 7 or Windows 8, or get a Mac, or you could  convert/upgrade the computer to Linux or use a Linux LiveCD to visit the Internet and still use Windows XP as a standalone NOT CONNECTED TO THE INTERNET computer.

If you need help with any of this, please contact your computer guru, join a forums like Scot’s Newsletter Forums – BATL (Bruno’s All Things Linux) to ask questions, or you can use the contact info on my website  to contact me for some help.

Advertisements

Support Ends today for Windows XP and Office 2003

RIP Windows XP and Office 2003!

Well, like it or not, Windows XP Home and Professional, as well as Microsoft Office 2003 support ends today, April 8, 2014.

Windows XP Home and Professional Support Ends today, April 8, 2014!

Windows XP Home and Professional Support Ends today, April 8, 2014!

 

Windows XP support end: 10 steps to cut security risks – ZDNet

“While doing nothing is an option, we do not believe that most organisations — or their auditors — will find this level of risk acceptable,” vice president and Gartner fellow Neil MacDonald said in a report, Best practices for secure use of XP after support ends.

Between 20 percent and 25 percent of enterprise systems are still running XP, and one-third of organisations continue to use it on more than 10 percent of their machines, Gartner estimates.

For those still using the venerable OS after the end of routine Microsoft updates and security patches, MacDonald has come up with 10 best practices to minimise the risks.

Rest in Peace, Windows XP – PCMag SecurityWatch

Rest in Peace Windows XP 2001-2014 You will be missed!

Rest in Peace Windows XP 2001-2014 You will be missed! Image links to PCMag article.

This is the end. Your Windows XP computer will get its last update today. Oh, it’s not going to roll over and kick the bucket, but continuing to use it will be more and more dangerous, since any new vulnerabilities that arise won’t be patched. We checked in with a number of security experts to discuss just how risky life will be for those who continue to run XP.

It’s the end of the line for Windows XP – USAToday

The software — introduced in an era before texting, Facebook, Snapchat, the iPhone and iPad — has lingered thanks to the reluctance of many consumers and small businesses to change. Despite its age, XP is the No. 2 computer operating system, and many folks are in store for a rude wake-up call.

Microsoft on Tuesday ceases official support for XP. The company will no longer issue patches or system updates to protect against viruses and other malware. If you run into any snags at all, you won’t be able to call Microsoft for technical assistance.

Microsoft Ends Support for Windows XP – Mashable

“Microsoft has provided support for Windows XP for the past 12 years. But now the time has come for us, along with our hardware and software partners, to invest our resources toward supporting more recent technologies so that we can continue to deliver great new experiences,” wrote Microsoft in an announcement.

Launched on October 25, 2001, Windows XP is one of the most successful Microsoft products ever; its successor, Windows Vista, was quickly replaced with Windows 7, and it took as long as September 2012 for Windows 7 to overtake XP as the most popular desktop operating system.

Microsoft ends support for Windows XP and Office 2003 – TheNextWeb

If you’re wondering why April 8, 2014 is the date support for both of these products ends, it’s really quite simple. Microsoft releases regular patches on Patch Tuesday, the second Tuesday of every month.

Microsoft supports its products for many years, and depending on when service packs as well as successors are released, the company eventually announces, in advance, when it will cut off support. April 8 happens to be the last Patch Tuesday for both products, meaning if security holes are found after today’s date, they won’t be plugged.

Excellent point!

Netmarketshare.com for Operating Systems pulled today showed March 2014 tallies:

Networkmarketshare, as of March 2014, pulled today, still shows Windows XP as 27.69% of the MarketShare.

Networkmarketshare, as of March 2014, pulled today, still shows Windows XP as 27.69% of the MarketShare. Link goes to metmarketshare.com

I personally still find it unbelievable that Microsoft, or any company really, would retire/pull support an OS that still garners nearly 30% of Windows users around the world.

Of course if you are an Enterprise company that can afford $200 PER PC for the first year, and increasing amounts each year THEREAFTER for Windows XP updates (security updates only by the way)…

Windows XP support will be available after April 8—just not for you – PCMag

Meet Microsoft’s Custom Support for Windows XP, described as a last-ditch effort for big businesses to quite literally buy some more time to migrate from Windows XP to a more modern operating system. The U.K. paid 5.548 million pounds to Microsoft for an additional year of support to maintain critical and important security updates for Windows XP, Office 2003, and Exchange 2003. Otherwise, Microsoft plans to end support for Windows XP by April 8.

Microsoft has been warning about the demise of Windows XP support since September, 2007, and Custom Support will extract a heavy toll from businesses that were too slow to act: up to $5 million per year (according to a report from Gartner), negotiated on a custom, per-company basis. Last year, Gartner issued a report claiming that the prices could go as high as $200 per PC, per year. The firm called such prices “punitive”.

Should consumers get the same break?

To date, Microsoft has given no indication that it will extend consumer support for Windows XP after the April 8 deadline, even though it has extended anti-malware support through July, 2015. After that date, any and all vulnerabilities found for Windows XP will live on forever, even though there are some avenues to keep your PC safe and protected after the deadline expires.

BTW: Apple‘s Mac OS X Mavericks holds 3.75% of the market (putting it between Windows 8.1 and Vista), however, if you include all Mac OS X operating systems listed: Mac OS X 10.6 1.29% (support ended), Mac OS X 10.8 1.18%, Mac OS X 10.7 1.05% Mac OS X 10.5 .24% (support ended), Mac OX X 10.4 0.06% (supported ended), and Mac OS X no version reported 0.01%, then the total is 7.58% of the operating system total market share (which puts it on the low end between Windows XP and Windows 8).

But, that does mean that only 1.59% of all Mac OS X users are running expired versions with no support.

Compare that with 27.69% of Windows users running  Windows XP.

NOTE: That doesn’t count the expired/no support users running Windows NT at 0.15%, Windows 2000 at 0.03%. Apparently Windows 98 users have finally fallen off at 0.00%.

Windows XP end of support: why it concerns you – OnWindows.com

Reto Haeni explores the risks of running Windows XP after its end of service and the benefits of migrating to newer operating systems

This article was first published in the Spring 2014 issue of Touch

Designed in a different era

Computers running Windows XP routinely experience a significantly higher malware infection rate than computers running any other supported version of Windows. Much of the elevated infection rate on Windows XP can be attributed to the fact that some of the key built-in security features included with more recent versions of Windows are not present in Windows XP. Windows XP, designed in a different era, simply can’t mitigate threats as effectively as newer operating systems, like Windows 7 and Windows 8. As the threat landscape has evolved over the past twelve years since the release of Windows XP, so has software security.

It’s time folks! If you haven’t done it yet, and if you are still running Windows XP on the Internet, it is high time to correct this by upgrading to a modern OS that is still supported, or disconnect from the Internet.

Please, unless you are a technical person who truly understands the risks and has taken steps to mitigate the overwhelming risks, then please be responsible and disconnect your Windows XP computer now!

Or move to new computer running a current version of Windows, or a Mac from Apple, or the Open Source ‘UNIX like’ Linux operating system and run Windows XP programs with Crossover as suggested here, or you could use Windows XP offline, and use a Linux LiveCD for Internet surfing and email, etc as suggested here and not mess up your offline Windows XP system. No matter how you do it, PULL THE PLUG on Windows XP – Disconnect the Ethernet or Wireless connection to the Internet! Just as soon as you get any April 8th Windows Updates on Patch Tuesday.

Unless you know what you are doing, you will be playing Russian Roulette with your Windows XP computer if you allow it to be online once Microsoft ends support after April 8, 2014. And that has been only Life Line extended support since 2009.

 

Microsoft Office 2003 support ends today, April 8, 2014!

Microsoft Office 2003 support ends today, April 8, 2014!

We also mentioned Microsoft Office 2003. Oh, yes, Microsoft Office 2003 has also expired today. No more security updates will be provided for Office 2003 either, just like Windows XP.

If you are still using Office 2003, it’s high time to remove it and move to a current version of Microsoft Office, or move to one of the Open Source alternatives such as;  Apache Foundation‘s OpenOffice.org or Document Foundation‘s LibreOffice, or move to using online versions of MS Office software like MS Office Web Apps or move over to Google’s online document handling programs; Google Docs.

 

Stay safer online or get files from corrupted Windows install

[tweetmeme source=”franscomputerservices” only_single=false]So, you need to get your files from your computer, but Windows won’t boot due to malware infection, or defective hardware or corrupted Windows install? Or maybe you just want to have a safe way to surf the Internet, or more safely do your online banking?

Clark76’s post entitled Saving files on a corrupt OS tells you how to use Ubuntu Linux LiveCD to get your files from a corrupted Windows install and backup/save them to a Flash drive for later restoration.

The only thing I would add to that posting is to make sure that if you reinstall Windows on the system, make sure that an antivirus software package is installed before trying to recover/copy the files back to your user account on Windows.

Using Ubuntu Linux LiveCD can also be an excellent way to keep your banking information safer if you use online banking as noted in my Technorati article entitled, How to be Safer While Banking Online from October 12, 2009.

There are just two ways that a Linux LiveCD can keep you safer online, or help you avert/recover from disaster. Linux LiveCDs are also a safer way to browse the Internet in these uncertain times since you can choose to disallow any changes to your system when booting your computer to a LiveCD.