Posted 01/19/10 at 04:57:40 PM by Bart Salisbury

Last week’s cyber attacks, that targeted Google and several other large U.S. companies, has certainly gotten Microsoft’s attention. The attack was orchestrated, in part, through a zero-day flaw in Internet Explorer (IE). The flaw seems to be obscure, and restricted to IE 6 and IE 7, but that hasn’t stopped Microsoft from releasing an out-of-cycle patch for IE.

Microsoft has acknowledgde the flaw, and says the “vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”

Microsoft, in an announcement posted today, says the confusion surrounding this particular attack has compelled Microsoft to act now. Microsoft’s primary advice: upgrade to IE 8, which is not affected by this flaw. If you don’t plan to upgrade, then updates for earlier versions will be made available, with specific timing of the updates to be announced tomorrow. In the meantime, Microsoft suggests using the workarounds and mitigations provided in Security Advisory 979352.

Read More

Posted 10/09/09 at 03:59:00 PM by Paul Lilly

If it seems like Adobe's Acrobat Reader is constantly under attack, well, that's because there's some truth to it. The latest threat comes in the form of another zero-day bug being exploited in targeted attacks, Adobe said.

Not a whole lot of information has been made available on the newest threat, though according to an advisory from VUPEN Security, the vulnerability in question is an unspecified memory corruption error that occurs when users open a specially crafted PDF file. VUPEN says the bug can be exploited remotely.

"Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly update, scheduled for release on October 13," blogged David Lenoe of the Adobe Product Security Incident Response Team. "Adobe Reader and Acrobat 9.1.3 customers with DEP (Data Execution Prevention) enabled on Windows Vista will be protected from this exploit."

In the meantime, Johannes Ullrich, a researcher with the SANS Institute, says users can avoid the potential threat by first converting PDFs into another format, like Postscript, and then back into PDF form. At the same time, Ullrich warns this isn't 100 percent certain to remove the exploit and could actually infect the machine mucking around with the file. Fantastic.

Anyone else using Foxit Software's super-lean freebie PDF reader, Foxit Reader?

Read More

Posted 12/16/08 at 06:09:00 PM by Mark Edward Soper

Once again, Internet Explorer (aka "Internet Exploder") has been attacked through a "zero-day" remote code execution vulnerability. That might not seem like MaximumPC.com-worthy news, except for two factors: the flaw is affecting thousands of websites, and this time, it isn't just Firefox fans who are saying "time to switch browsers, already!" - security experts at Trend Micro, the Spamhaus Project, and the UK's PC Pro magazine are all recommending making a switch, according to the BBC. And here's why:

The flaw in Microsoft's Internet Explorer could allow criminals to take control of people's computers and steal their passwords, internet experts say.

Switching Browsers? Choices Abound!

Attacks against IE7 have been verified, but all versions of IE (including IE 8 Beta 2) have the same underlying vulnerability; a vulnerability not present in IE's competitors (Firefox, Opera, Chrome, and Safari). Switching browsers makes sense for most web surfing, but, alas, some websites and (of course) Windows Update and Microsoft Update for Windows XP won't work with anything but IE.

Redmond Readies Security Update

Since the vulnerability was detected on December 10th, Microsoft code jockeys have been working hard to patch the flaw (Redmond doesn't want you to switch, naturally, and given the way that IE and Windows work together, a broken IE isn't good for anybody), and a patch will be available tomorrow (December 17th) for all versions of IE from 5.01 up, applying to all versions of Windows and Windows Server from Windows 2000 on up. It's rare for Microsoft to perform a security update between Patch Tuesdays, but when a "Critical" vulnerability (the most dangerous category of vulnerability) is discovered, there's no time to waste.

If you must use IE and you're looking for workarounds until you can get the update, join us after the jump for details.

Read More