Microsoft: Windows flaw could steer IE to hackers

,----[ Quote ]
| Microsoft said Monday that a flaw in the way its Windows operating system
| looks up other computers on the Internet has resurfaced and could expose some
| customers to online attacks. `----

Microsoft releases serious patch

,----[ Quote ]
| SOFTWARE giant, Microsoft has released a patch for a serious security
| vulnerability that allows attackers to seize control of millions of
| computers.


Critical Vulnerability in Microsoft Metrics

,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update. * * *


In zombies we trust

,----[ Quote ]
| A little over a year ago, I wrote an editorial where in back-of-the-envelope
| style (.pdf) I estimated that perhaps 15-30% of all privately owned computers
| were no longer under the sole control of their owner. In the intervening
| months, I received a certain amount of hate mail but in those intervening
| months Vint Cert guessed 20-40%, Microsoft said 2/3rds, and IDC suggested
| 3/4ths. It is thus a conservative risk position to assume that any random
| counterparty stands a fair chance of being already compromised. * * *

Over 50% of corporate desktops infected with malware: IronPort

,----[ Quote ]
| The report also reveals that more than 50% of corporate desktops
| worldwide are infected with some type of spyware with the rate of
| infection as high as 70% in the United States. Trojans or malicious
| system monitors represented over 7% of the infections. Rootkits and
| trick loaders, which reinstall spyware and other obfuscation techniques,
| make remediation very difficult thus prevention is the key to stopping
| these threats.

Botnet 'pandemic' threatens to strangle the net

,----[ Quote ]
| Cerf estimated that between 100 million and 150 million of the
| 600 million PCs on the internet are under the control of hackers,
| the BBC reports.

Skeletons in Microsoft’s Patch Day closet

,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins — a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions.

Beware of undisclosed Microsoft patches

,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmond’s silent patching
| practice?

Microsoft is Counting Bugs Again

,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
| [...]
| The point: Don't count on security flaw counting. The real flaw is
| the counting.

When AntiVirus Products (and Internet Explorer) Fail you

,----[ Quote ]
| When Didier Stevens recently took a closer look at some Internet Explorer
| malware that he had found, something surprised him somwehat. He discovered
| that the IE-targeted malware had been obfuscated with null-bytes (0x00) and
| when run against VirusTotal, he found that fewer than half of the products
| identified the sample as malware (15 of 32). When all null-bytes were
| removed, the chances of successful detection improved, though not as much as
| would normally be expected (25 of 32 detections). * * *

Code posted for Internet Explorer attack

,----[ Quote ]
| "This type of vulnerability has been very popular with malicious
| attacks in the past, and we expect to see its usage increase
| substantially, now that exploit code is publicly available,"
| security vendor Websense. warned in a note published Monday.

Microsoft probes possible IE 7 phishing hole

,----[ Quote ]
| The vulnerability relates to the message IE displays when Web page
| loading is aborted, Raff wrote. An attacker can rig the message by
| creating a malicious link. The message will offer a link to retry
| loading the page; hitting it brings up the attacker's page, but
| showing an arbitrary Web address, he wrote.

Critical IE Graphics Flaw Resurfaces

,----[ Quote ]
| It's bad enough when crooks exploit bugs to ruin a home computer,
| but the consequences of a successful attack can be much worse.
| A substitute teacher in Norwich, Connecticut, found that out when
| a computer she was using in her classroom suddenly started showing
| pornographic pop-up ads to everyone in the class. She now faces up
| to 40 years in prison after being convicted of willfully showing
| her students the images. A security expert hired by her defense,
| however, says he found malicious software on the PC.

Monthly Microsoft Patch Hides Tricky IE 7 Download

,----[ Quote ]
| Opinion: Microsoft used the January 2007 security update to
| induce users to try Internet Explorer 7.0 whether they wanted
| to or not. But after discovering they had been involuntarily
| upgraded to the new browser, they next found that application
| incompatibility effectively cut them off from the Internet.

Attack code out for 'critical' Windows flaw

,----[ Quote ]
| All recent versions of Windows are vulnerable when all recent
| versions of IE, including IE 7, are in use, according to Microsoft.

IE7 'critical update' causes headaches for managed desktop environments

,----[ Quote ]
| As many organisations may not feel compelled to turn off automatic
| updates, they should be prepared to face this is issue when Internet
| Explorer 7 is downloaded and installed automatically.

IE 7 bugs abound

,----[ Quote ]
| "But browser testers may already be at risk, according to security
| researcher Tom Ferris. Late Tuesday, Ferris released details of a potential
| security flaw in IE 7. An attacker could exploit the flaw by crafting a
| special Web page that could be used to crash the browser or gain complete
| control of a vulnerable system, Ferris said in an advisory on his Web site.
| Microsoft had no immediate comment on Ferris' alert."

Which Is Safer: Internet Explorer 7 or Firefox 2.0?

,----[ Quote ]
| In the SmartWare test, Microsoft's Internet Explorer 7 blocked 690
| known phishing sites, or 66.35 percent of the total. In contrast,
| Firefox blocked 78.85 percent when using a local antiphishing
| database and 81.54 percent when using the online database.

Information disclosure bug blights IE7 release

,----[ Quote ]
| The flaw stems from error in the handling of redirections
| for URLs with the "mhtml:" URI handler. Security
| notification firm Secunia reports that the same bug
| was discovered six months ago in IE6 but remains unresolved.

IE Used to Launch Instant Messaging and Questionable Clicks

,----[ Quote ]
| First of all, you need to visit an infection site using Internet
| Explorer - this exploit doesn't work in Firefox, for example.

Firefox Still Tops IE for Browser Security

,----[ Quote ]
| "Mozilla is forthcoming about vulnerabilities," Levy said, whereas "it
| takes Microsoft far longer to acknowledge vulnerability."
| How much longer? "In the last reporting period, the second half of last
| year, Microsoft had acknowledged 13 vulnerabilities. We've now revised it
| to 31. The difference is that now Microsoft has acknowledged these
| vulnerabilities."
| [...]
| "Mozilla can turn around on a dime," Levy said. "Open-source programmers
| can recognize a problem and patch it in days or weeks."
| And as for Microsoft?
| "If a vulnerability is reported to Microsoft, Microsoft doesn't
| acknowledge it for at least a month or two. There's always a certain
| lag between knowing about a bug and acknowledging it," Levy said.

IE Exploit Could Soon Be Used By 10,000-plus Sites

,----[ Quote ]
| First reported by Florida-based Sunbelt Software Tuesday, the bug has
| already been used to compromise PCs and load them with scores of adware
| and spyware programs, as well as other malicious code. Users surfing with
| IE 6 and earlier can be infected simply by viewing the wrong site.

Russian sites using new IE bug to install spyware

,----[ Quote ]
| This is the second unpatched flaw found in IE over the past week. On
| Sept. 14, researchers posted code that could be used to exploit a
| different vulnerability in a multimedia component of the Web browser.
| Microsoft is still investigating that flaw and is not saying whether it
| too will be patched next month.

Seen in the wild: Zero Day exploit being used to infect PCs

,----[ Quote ]
| The exploit uses a bug in VML in Internet Explorer to overflow a buffer
| and inject shellcode. It is currently on and off again at a number
| of sites.
| Security researchers at Microsoft have been informed.

Attack code targets new IE hole

,----[ Quote ]
| Computer code that could be used to hijack Windows PCs via a
| yet-to-be-patched Internet Explorer flaw has been posted on the Net,
| experts have warned.