Tag Archives: internet explorer

Security News – wk2 Jan

I’m going to be pushing my security column out on at least a bi-monthly basis from now on – a 2016 resolution! ; )

This past week’s Patch Tuesday from Microsoft was quite a serious affair – 9 security advisories covering 25 vulnerabilities of which 6 advisories address critical level flaws in IE, Office, Windows and others. Keep them updated!

Also in the Microsoft camp, IE 8 through 10 will no longer get security support from this week – considering that those versions account for more than 20% of worldwide browser usage, this is going to be a big problem – think unsecured drive-bys, cross-site-scripting and remote code execution. Juicy times for attackers. There’s a couple of issues here for folks wanting to migrate to IE11:

  • application compatibility and upgrade/migration
  • corporate policy
  • about 2/3rds of issues affecting IE11 also affect previous releases giving lots of clues to malicious code writers

The other big security news of the week is the detection of multiple critical bugs in Trend Micro’s  Password Manager component. Specially crafted urls can cause the the PM to leak passwords or allow arbitrary command execution on the local machine – for a security package, this is a significant problem but at least Trend have already released a patch for this. Update!

The Juniper ScreenOS issue (CVE-2015-7755) continues to rear its ugly head with Juniper denying collaborated involvement with the NSA in putting the  “possibly NSA-sponsored” DUAL_EC and ANSI  x9.31 RNG’s into ScreenOS. Juniper will be sorting this mess out over the next 2 months so that still gives a very long window for exploit. For some clients, there may be little choice but to migrate their firewall infrastructure to other kit to maintain security.

For those not in the know, the ( known ) weak RNGs and “unauthorized code” in ScreenOS could allow unauthorized admin access to ScreenOS devices and real-time VPN traffic decryption.  Considering news of the NSA intercepting shipments of Cisco ( and other kit ) to replace firmware with NSA-encumbered code, this does not come as that much of a surprise; suffice it to say, the US auths still seem to be either working hand in hand with certain US networking companies or exploiting weaknesses in those companies products. Either way, this is as bad as it gets … and they complain about Hauwei?!?!! Pot? Kettle?

In related ( firewall ) news, an administration access bug from 2014 and earlier in FortiGate products seems to have reared its head this week. I’m not sure about the delay in reporting but this is a bit of a moot point now seeing as the issue was sorted out a long time ago. Possibly the Juniper news has everyone on edge …

Juniper was not alone this week with critical issues; Cisco has released patches for multiple products including 2 for the (ISE) Identity Services Engine software (cve-2015-6323) and (WLC) Wireless Lan Controller software (cve-2015-6314) – both are deemed critical and have a maximum CVSS score of 10.

In the wake of the Juniper backdoor revelations, Cisco Systems announced that they will be reviewing the software running on their devices and look “for backdoors, hardcoded or undocumented account credentials, covert communication channels and undocumented traffic diversions.” So it looks like all firewall and security networking vendors are going to have some work in store for themselves over the next few months.

Internet Explorer the safest browser – yeah right!

Microsoft has always bigged up their products using whatever mechanisms they can, including paid-for campaigns/ads and sometimes outright lying. The latest statement that IE is the most secure browser ( according to their yourbrowsermatters website ) fits into this latter category.

One has to wonder how Microsoft comes about the scores provided on the site. Thumb suck I say. Where does the outright lying come into play? Well apparently my browser benefits from Windows Operating System features that randomize the memory layout to make it harder for attackers to find their target. And my browser benefits from Windows Operating System features that protect against structured exception handling overwrite attacks.

The only problem with the above 2 statements is that I don’t run Windows …

One also has to wonder how IE is given the most secure browser moniker when it’s just had a major patch released to fix what’s regarded by anyone as a serious flaw ( The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user ).

So when vendors trot out that “we’re the most secure” malarky, take it with a pinch of salt. Mind you, maybe a whole jar will be better.

IE hole has first blood drawn by Amnesty International

The latest 0-day hole in Internet Explorer has been exploited by vulnerabilities in the Amnesty International web site. The hole itslef is related to flawed processing routines for parsing certain Cascading Style Sheet combinations in HTML documents. This allows attackers to manipulate certain pointers and execute injected code at the user’s privilege level.

The new attacks confirm observations of the exploit in commercial packages sold to criminals – which means attacks will probably soon become more frequent. Exploit packs fire on visitors to manipulated web sites from different directions to increase the success rate of infection attempts. In addition to the exploit for Internet Explorer, the AI site also contained modules for holes in QuickTime, Flash, and Shockwave.

So far, IE 6, 7 and 8 are vulnerable. No patch is available yet but Microsoft have indidated users should enable/use the DEP ( Data Execution Prevention ) feature in XP, Vista and 7 ( IE 8 has DEP enabled by default ).