Another Internet Explorer 0day

Microsoft has released Security Advisory 980088, which describes in sketchy terms another 0day vulnerability in Internet Explorer.

if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location. These versions include .. Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on supported editions of Windows XP … Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008.

The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.

Microsoft is playing it close to the chest (as it should). No known attacks as yet. Makes me wonder how Microsoft found out about it.

Microsoft’s workaround? Basically, disable ActiveX. Of course, you’re using a browser that doesn’t work with ActiveX, right? Such as Firefox or Chrome. Gad. There I go with that broken record again…

MS-DEFCON 4: Get patched

Microsoft had two Security Bulletins in MarchJanuary, with a plethora of patches.

MS10-011 / KB 972270 is relatively innocuous – a real yawner if you’re using anything other than Windows 2000 SP 4.

MS10-002 / KB 978207, on the other hand, consists of a massive rollup of Internet Explorer patches. As you may recall, it was issued “out of band,” after the usual Black Tuesday patch day. The patch got released early because of highly targeted “spearphishing” attacks, many of which targeted Chinese dissidents. I didn’t get too excited about it because normal people like you and me weren’t getting clobbered by the original spearphishing expedition – and I haven’t heard of any attempts at a mass attack based on the vulnerability.

As with any massive IE rollup, there’s a big potential for problems. Although the Knowledge Base article is up to version 4.0 (which means MS has had to modify it significantly on many occasions over the past couple of weeks), it now appears to be stable. So I’m ready to give the “all clear” to install it.

Of course, you’re using Firefox or Chrome or anything other than IE, right? Remember the mantra: keep Internet Explorer updated and patched (you should be on version 7.0 or 8.0), just because holes in IE can be exploited even if you don’t use IE; and use anything but IE.

I’m taking us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

MS-DEFCON 2: Lots of little updates trickling in

For a couple of years, now, Microsoft has been dribbling out little updates for Vista on the fourth Tuesday of every month. Starting this month, the little dribble now includes Windows 7 as well.

If you see a notification for new updates that you haven’t seen before, it’s just the little guys knocking at your door. Ars Technica has details.

There’s nothing in the dribble that’s of any interest to most of you. Well, OK, if you fit the following description:

your Windows 7 or Windows Server 2008 R2 computer has an NVIDIA USB Enhanced Host Controller Interface (EHCI) chipset, at least 4GB of RAM, and while performing general I/O operations on an external USB device, such as copying data from the computer, either your computer stops responding or the copy operation stops abruptly.

For everybody else, it’s a yawner. We’re still at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Still at MS-DEFCON 2: MS10-002 is out, but you don’t need it

Microsoft has released MS10-002 / KB 978207 as expected. You don’t need it right away unless you’re running IE 6. And if you’re running IE 6, what you really need is Firefox, not this patch.

None of the current patches are worth worrying about. We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

New hole in Windows discovered 17 years after it appeared

Man, this has been one helluva week for 0day exploits.

Tavis Ormandy at Google reports that there’s a hole in the way Windows NT and later handle functions that were designed to support 16-bit applications.

All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to be affected, including but not limited to… Windows 2000, XP, Server 2003, Vista, Server 2008 and Windows 7.

Travis goes on to say:

Microsoft was informed about this vulnerability on 12-Jun-2009, and they confirmed receipt of my report on 22-Jun-2009.  Regrettably, no official patch is currently available. As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch. It should be noted that very few users rely on NT security, the primary audience of this advisory is expected to be domain administrators and security professionals.

Seven months without a resolution, and he’s gone public. Hard to blame him.

Yesterday, Microsoft released Security Advisory 979682, acknowledging the hole.

Protecting yourself against Aurora

Windows Secrets Newsletter just hit the stands, and the lead story by Yardena Arar has many details about the “Aurora” security hole.

There are ways to patch yourself without Microsoft’s big IE cumulative patch MS010-02, which is due any minute, but before you get your knots in a knicker, make sure you understand the scope of the problem:

Security analysts and Microsoft agree that the attacks have a high social-engineering component: the targeted victims have to trigger the attacks by clicking a link or infected attachment (commonly an Adobe PDF or Flash file) delivered in e-mail, instant messages, or other electronic communication appearing to come from a trusted source.

Stay calm. The sky isn’t falling. If this is what it takes to get Google out of the censorship business, kowtowing to a big paycheck, hey, I’m not complaining.

UPDATE: Brian Krebs just posted a very interesting article that explains why “Aurora” probably did originate in China. Actually, the evidence cited in the article tends to support the idea that the people who wrote part of Aurora are able to read Simplified Chinese, but the circumstantial evidence is compelling.

Aurora patch update

Looks like Microsoft is going to release an out-of-band patch for the “Aurora” security hole made (in)famous by unknown Chinese assailants, Google, and various dissidents.

Ed Bott has a full report, with anticipation that a release date for the out-of-band patch (which is to say, a security patch that doesn’t wait for the Black Tuesday cycle) today.

The Web site Darkreading has had a string of articles on the topic. Good reading if you’re concerned.

UPDATE: Microsoft has released advanced notification which says the patch – a cumulative IE rollup – should be available in the next few hours. If it’s like most cumulative IE rollups, it’ll be full of bugs, some of which may affect Windows itself. We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Now (almost) everybody is advising you to stop using Internet Explorer

I’ve been saying it for years. I’ll say it again.

Upgrade Internet Explorer to the latest version. Keep it patched. But don’t use it. Use Firefox or Chrome or Opera or any other Web browser you fancy.

Sorry if I sound like a broken record. I’ve been advising on this blog since November, 2006, that you should dump IE and use Firefox.

Ed Bott has come down hard on IE 6. “Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice.” I wouldn’t go quite that far with IE 7 and IE 8, but with rare exceptions there’s absolutely no reason to continue using any version of IE. The German government and French government have both recommended abandoning IE, and I’m with them.

If your company absolutely insists on sticking with IE for compatibility reasons, they should be focusing most of their development resources on bringing their internal systems up to snuff. There are no good excuses left. Switch.