IE Zero-Day Vulnerability

Microsoft Security Advisory 2963983 – Vulnerability in Internet Explorer Could Allow Remote Code Execution – TechNet

General Information

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

More information in the full article. There is no patch. But Microsoft has given some recommendations which are easier to understand at Security Garden’s posting:


As illustrated in the “Security Research and Defense Blog” reference below, users of IE 10 and 11 should ensure they haven’t disabled Enhanced Protection Mode.

Another option is to install the Enhanced Mitigation Experience Toolkit (EMET). The recommended setting for EMET 4.1, available from KB Article 2458544, is automatically configured to help protect Internet Explorer. No additional steps are required.

See the Tech Net Advisory for instructions on changing the following settings to help protect against exploitation of this vulnerability:

  • Change your settings for the Internet security zone to high to block ActiveX controls and Active Scripting

  • Change your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.


Those still using Windows XP on the Internet, please be aware:


This is the first of the security vulnerabilities that DOES NOT include workarounds  for Windows XP. The oldest Windows noted as being affected are: Windows Server 2003 SP2 and Vista SP2.

IMPORTANT NOTE: Once a Microsoft product’s support has expired — as is true now about Windows XP SP3 since April 8, 2014 — Microsoft no longer lists it as affected by the vulnerabilities being patched. Microsoft only list Windows versions which are still under Mainstream Support or Extended Support. This has always been the case.

If anyone is still using Windows XP on the Internet (UNWISE!!), it would be strongly recommended to disallow IE (Internet Explorer) access to the Internet through your software firewall*, and use another browser like Firefox and Google Chrome which will still be getting updates for a time.

* Any Windows XP users still on the Internet should at least have:

  • a hardware router with Stateful Packet Firewall
  • should be using a ‘real’ software firewall as well as a good AV program. Just one good choice that will continue to support Windows XP is ESET’s Smart Security which is a very good antivirus and firewall. It is the one I use. It is not free. There are several free antivirus programs but not many free security suites.
  • block Internet Explorer through the ESET or other software firewall.
  • should be using a 3rd party browser like Mozilla Firefox with NoScript, Adblock Plus and WOT to help sort out safer search results on search engines, or Google Chrome with ScriptSafe, Adblock Plus and WOT Extension.
  • uninstall Java entirely, keep Adobe Flash religiously updated for Firefox as long as Adobe continues to provide them. Google Chrome updates Flash within itself. Might want to switch from Adobe Reader to Sumatra PDF reader which is a simple PDF viewer.
  • need to be even more careful than ever before about where you go. The bad guys will be looking with great anticipation for computers with expired Windows XP.
  • no risky behavior
  • no banking … note very soon banks will be disallowing expired Windows XP entirely anyway.

IMPORTANT: You can not block a program from getting out to the Internet with the Windows XP Firewall. It is only a one way firewall. It only monitors incoming Internet requests, instead of both ways as any real firewall including Windows 7 and Windows 8 built-in software firewalls do.

Here’s a quote from a ZDNet article:

To those planning to stick resolutely with the aged Windows XP operating system even after Microsoft ends support next year, the advice from experts is simple: Don’t do it.

Again: I would strongly suggest you get a new computer, upgrade your computer if it can be upgraded to a modern/still supported Windows such as Windows 7 or Windows 8, or get a Mac, or you could  convert/upgrade the computer to Linux or use a Linux LiveCD to visit the Internet and still use Windows XP as a standalone NOT CONNECTED TO THE INTERNET computer.

If you need help with any of this, please contact your computer guru, join a forums like Scot’s Newsletter Forums – BATL (Bruno’s All Things Linux) to ask questions, or you can use the contact info on my website  to contact me for some help.

Certificate Authoritities, DigiNotar, GlobalSign, OSes, Browsers, Adobe, more

[tweetmeme source=”franscomputerservices” only_single=false]DigiNotar Breach Affected 531 Certificates (Tom’s Hardware):

The break-in in Certificate Authority (CA) DigiNotar back in July was much worse than previously thought.

A preliminary analysis of the incident now claims that there have been 531 fraudulent certificates. The hackers may have explored DigiNotar’s servers for the first time in early June and gained control on June 17. The company detected the hack on June 19, but failed to prevent the creation of the first rogue certificate on July 2. The hacker activity apparently ended on July 22.

As a Aryeh Goretsky stated at Scot’s Newsletter Forums noted so succinctly:

DigiNotar, a company which issues digital certificates used to establish cryptographically-secure connections to web sites, was hacked, and over 500 certificates were acquired for high-profile web sites. Amongst other things, this would allow someone* to monitor what would otherwise be secure, private connections to those sites. Passwords, emails, personally-identifiable information and other sensitive data could be viewed by someone* who would otherwise not be able to see that information.

*Such as a government, ISP, or government-owned ISP.

Aryeh, I couldn’t have said it better myself.

And highlighting the fact that it could be a government, ISP, or government-owned ISP is spot on to the concerns.

There was recently an article that suggested that this has already happened in Iran.

Hackers steal SSL certificates for CIA, MI6, Mossad (Computerworld):

Criminals acquired over 500 DigiNotar digital certificates; Mozilla and Google issue ‘death sentence’

Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft’s Windows Update service.

Google has pointed fingers at Iran, saying that attacks using an ill-gotten certificate for had targeted Iranian users.

Much more in this two page article where a link to Markham’s blog details more about this:

On Monday August 29th at 6.30pm BST Mozilla was informed by Google about a misissued certificate for * which was being used in active attacks on users in Iran. This certificate was chained to the root of the Dutch CA “DigiNotar”. Since that notification, I have been part of the Mozilla team working on our response.

The CNs concerned were as follows:

DigiCert Root CA
Equifax Root CA
Thawte Root CA
VeriSign Root CA

So much more in Markham’s blog posting.

Delay in disclosing SSL theft put Iranian activists at risk, says researcher (Computerworld)

The delay in disclosing a theft of the digital certificates for some of the Web’s biggest sites, including Google, Skype, Microsoft and Yahoo, put Iranian activists’ lives at risk, a researcher argued Wednesday.

But I think EFF explains the issues best.

Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities (EFF)

What’s worse than finding a worm in your apple? Finding half a worm.

What’s worse than discovering that someone has launched a man-in-the-middle attack against Iranian Google users, silently intercepting everything from email to search results and possibly putting Iranian activists in danger? Discovering that this attack has been active for two months.

People all over the world use Google services for sensitive or private communications every day. Google enables encrypted connections to these services in order to protect users from spying by those who control the network, such as ISPs and governments. Today, the security of this encryption relies entirely on certificates issued by certificate authorities (CAs), which continue to prove vulnerable to attack. When an attacker obtains a fraudulent certificate, he can use it to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure.

The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today Internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden.

This latest attack was reportedly caught by a user running the Google Chrome browser in Iran who noticed a warning produced by the “public key pinning” feature which Google introduced in May of this year. Basically, Google hard-coded the fingerprints for its own sites’ encryption keys into Chrome, and told the browser to simply ignore contrary information from certificate authorities. That meant that even if an attacker got a hold of a fake certificate for a Google site—as this attacker did—newer versions of the Chrome browser would not be fooled.

Certificate authorities have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years and EFF has voiced concerns that the problem may be even more widespread. But this is the first time that a fake certificate is known to have been successfully used in the wild. Even worse, the certificate in this attack was issued on July 10th 2011, almost two months ago, and may well have been used to spy on an unknown number of Internet users in Iran from the moment of its issuance until it was revoked earlier today. To be effective, fraudulent certificates do not need to have been issued by the same authority that issued the legitimate certificates. For example, the certificate in question here was issued by a Dutch certificate authority with which Google had no business relationship at all; that didn’t make it any less acceptable to web browsers.

Much more in the article…

This problem is not only related to issues of privacy related to people who’s lives would be in danger, but also, victims of malware purveyors as well.

Cryptographic keys for SSL sites are only as good as the honesty of the holder and issuer of those keys, as well as the honesty and security diligence of the issuer, in this case DigiNotar.

They would like us to think that SSL is extremely safe, but it’s not as safe as those who issue them would like us to believe either. Anyone with money can purchase a SSL certificate, and there have been malware purveyors that have also bought them so folks would ‘feel’ secure. If you see the lock, you think, “Safe”. That’s what they want you to think.

However, just like anyone can purchase what is considered a ‘legitimate’ SSL certificate, good, bad or indifferent, there are worse things.

‘Legitimate’ SSL certificates can be created by site owners as well, good, bad, or indifferent.

The companies that sell SSL certificates and browser makers put out root certificates for their browers and show green or gold with the lock for those obtained by big name sellers of these certificates. So if you are legitimate site owner who creates their own to save money, you are automatically assumed to be ‘not legitimate’ by browsers and it shows as red/dangerous to users.

I don’t see what the solution is, but it really doesn’t matter whether you make your own, or if you buy one, you are still playing craps with SSL certificates in many ways these days.

As Corrine noted in the same topic at Scot’s Newsletter Forums:

Microsoft Security Advisory 2607712 has been updated to revoke the trust of the DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store.

The update is available via Automatic Update and applies to all supported releases of Microsoft Windows, including Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Within short order, Mozilla sent out updates to their products including Firefox, Thunderbird, et. revoking the certificates.

Opera has done the same thing yesterday, disabling the root store for DigiNotar.

Because Apple was slow to act, one researcher (thanks Corrine) rapped Apple for not blocking the stolen SSL certificates, and various places on the Internet were trying to help Mac users to take care of disabling and removing the DigiNotar certificates from the KeyChain so Safari and other browsers would be safer online on the Mac. Since then, Apple released an update to revoke DigiNotar from their trusted list:

If you are running an older Mac you can still protect yourself, but you will need to do it manually. You can follow the excellent instructions posted over at the ps | Enable blog.

And most recently, Adobe has posted instructions on how to remove DigiNotar from the Adobe Approved Trust List (AATL) for Adobe Reader.

And here we go again (thanks zlim)…

GlobalSign Stops Issuing Digital Certificates After Hack (PCWorld)

Second firms stops issuing digital certificates (CNET)

How many more will have fallen before it’s all said and done? I am beginning to wonder if we wouldn’t be better off just generating our own SSL certificates, it would likely be as safe as this fiasco has become…


BleepingComputer Mac Rogue Remover Tool

[tweetmeme source=”franscomputerservices” only_single=false]Introducing the BleepingComputer Mac Rogue Remover Tool (BleepingComputer Forums)

BleepingComputer has been a great source for Windows users since 2005 for removal instructions and removal tools for rogue anti-spyware programs. They have helped so many! I often find myself doing research at their site.

In keeping with their past dedication and commitment in helping Windows users get rid of this malware plague with removal guides and removal tools, they have also started posting removal instructions for Mac Defender, Mac Security, Mac Protector, and even the new more nasty MacGuard which doesn’t need a password to install like the others that was just released into the wild (at least if you are using Safari configured to Open “safe” files after downloading).

Grinler, an Admin at BleepingComputer forums posted an excellent summary of the history of these rogue anti-spyware programs on Windows PCs, and now on the Mac. This summary is also where you can find the updated removal guides and Mac Rogue Remover Tool.

Currently, BleepingComputer’s Mac Rogue Remover Tool will remove the following:

Mac SecurityMac Security Removal Guide
Mac DefenderMac Defender Removal Guide
Mac ProtectorMac Protector Removal Guide
Mac GuardMac Guard Removal Guide

If you have any questions on these guides and tools, Grinler ask that you post in their forums here.

Thanks to Corrine (Security Garden) for posting this information at Scot’s Newsletter Forums.


Scot’s Newsletter Forums Celebrating their 8th Year!

[tweetmeme source=”franscomputerservices” only_single=false]Hard to believe that it has been 8 years since Scot Finnie — who is now the Editor in Chief of Computerworld — started a little experimental forum, Scot’s Newsletter Forums! Eight years later, it is still going strong.

I remember when the forums first started. Many of us were there from the beginning, or very nearly so. We were subscribers of Scot’s Newsletter when Scot announced to his subscribers.

I had been reading Scot Finnie’s articles since the old, now defunct WinMag days, and was saddened when they no longer published it. I lost track of Scot Finnie and a host of other writers for a time. I was very excited to hear about Scot Finnie and others who used to write for WinMag going on to have their own online/email newsletters and websites and finding them all over the place on the Internet.

The Scot’s Newsletter Forums has turned out to be a great place to gather, and help each other with various computer related issues, problems.

It’s a place where we SNF (Scot’s Newsletter Forums) “Highlanders” share our joys of success, and get help and understanding for our computer woes, and we have gained a level of friendship and community that is quite special, even among forums. I know that the SNF community literally reached out after the devastation of Hurricane Isabel, and physically and monetarily, as well as just emotional encouragement, helped us fix our roof — And I do mean physically. Some of the members who lived ‘near by’ actually traveled to our house with tools, materials and a willing spirit to help us put our roof back together. For those that wanted to help, but couldn’t come, they helped with providing funds to buy materials. It was a great blessing to us! And showed that even an Internet based community can be as real as any other community of neighbors, friends and family.

And all this while we work together with our various operating system situations whether it be Windows (ATW), Mac (ATM), and Linux (BATL) and other areas.

To help us celebrate the 8th year of Scot’s Newsletter Forums, ESET and WinPatrol have teamed up to help make the celebration all the more special by offering licenses to their great products in two different contests!

We really appreciate their generosity!!

Check out Corrine’s Security Garden posting about SNF 8th Anniversary as well; with even more information.

Happy 8th Anniversary Scot’s Newsletter Forums! It has been a wonderful thing to be a part of such a great ‘experiment’. 🙂