Thursday, May 1, 2014

Serious Security Flaw Affects Every Version of Internet Explorer




June 3, 2014 -- UPDATE!!!


In the wake of the "zero day" security flaw, Microsoft has announced (along with fixes), another vulnerability: the use-after-free vulnerability

Here is the Microsoft Security Bulletin Summary for May 2014, along with links to the May 2014 updates.

Here is a great graphic comparing web browser security flaws, taken from wikipedia: 


Click on image to open a full size.


The fallout from all of this is that companies, both the ones that produce the programs (Microsoft, Adobe, Google, Apple, etc.) and the companies that use the programs (government, schools, retailers, banks, insurance companies, etc.) are reevaluating their systems. Even Google has just announced an update to Chrome. 





Below my original post. For the average person, this may seem like too much to take in, and it is. My simple recommendation is if you are on Windows, use Chrome or FireFox.

Better yet, switch to a Mac.


Original Post: May 1, 2014...................





Sunday, April 27, 2014
From: Kim Komando, Time, Forbes, Liberty Voice,  Tech Eye , and USAToday

Here is the USA Today article with video:

Researchers at security company FireEye have found a flaw in Internet Explorer that could let hackers easily slip a virus on to your computer, especially those still using Windows XP. And hackers are already using it.

This flaw, the "zero day" security flaw, is present in every version of Internet Explorer – from 6 to 11 – stretching back more than a decade.

Calling it a "remote code execution vulnerability," Microsoft warns that "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user, including the ability to "take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Microsoft explained that the "vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated."



You have no defense with the latest Windows systems, either; the program is vulnerable no matter which version of Windows you are running.

The bug is a drive-by hack; all you have to do is visit a site that hackers have hijacked or modified and you’re infected.


As of May 1, 2014, there is no permanent fix and Microsoft is still researching the problem.

Internet Explorer Security Issues Trigger National Security Alert


This Internet Explorer (IE) security issues is so serious, that it triggered a national security alert from the Department of Homeland Security (DHS), which issued an unusual advisory warning computer users not utilize the IE web browser until the most recently discovered security issue is fixed. Some experts say that is not very likely to happen any time soon.

A Concerted Attack on US Infrastructure

"Complete compromise" means different things to different organizations, but a technical support team at General Dynamics defines it as a complete takeover of system operations, sometime called the "going hog-wild" phenomenon among hackers. This is not a common garden variety hack, a phishing scheme, or some other low-level annoyance.

On the contrary, this is a prima facie illustration of what a cyber war attack will look like, because that is exactly what is happening right now. So far, the hackers have only been stealing data, but the nature of the security hole is such that the hackers could take control over entire systems and wipe data, change data, add data, or deliberately crash devices running on infected systems. In other words, this is no joke.

Who is Affected?

Just about anyone could be affected by the breach. Neither Homeland Security nor anyone else is about to provide any details about who has been affected, or who may be affected in the near future, for the very obvious reason that making such information public would hang a target on those companies for other hackers.

However, the fact that the warning came from Homeland Security, rather than Microsoft itself, suggests that at least one of the victims has ties to country’s defence systems. The Department of Homeland Security yesterday warned. "We are currently unaware of a practical solution to this problem," said the department's Computer Readiness Team


You  can read Homeland Security's warning here:

Organizations in that category reportedly might include branches of the U.S. Military, The U.S. Postal Service, the Internal Revenue Service, the Federal Bureau of Investigation, defense contractors, and major financial institutions.

Homeland Security itself has moved most of its operations to Windows 7, but still requires its employees to use Internet Explorer.

The IRS recently admitted that it was paying Microsoft millions of dollars to continue to support their Windows XP installations, a situation necessitated by the fact that IRS’s own software will not run properly on Windows 7 or 8.

The biggest potential victims in this scenario, however, are the Chinese, who are running more XP systems than anyone else.



US-CERT

Although I say the warnings are from Homeland Security, they originate with US-CERT (The United States Computer Emergency Readiness Team). US-CERT is an organization within Homeland Security’s National Protection and Programs Directorate (NPPD). Specifically, US-CERT is a branch of the Office of Cybersecurity and Communications' (CS&C) National Cybersecurity and Communications Integration Center (NCCIC).

 US-CERT is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities. The division brings advanced network and digital media analysis expertise to bear on malicious activity targeting the networks within the United States and abroad.

Why do these organizations continue to use XP?

In addition to compatibility issues with enterprise software that has not been upgraded to run on new versions of Windows, many users also point to the fact that their older peripheral devices will not work on the newer operating systems.

Manufacturers have not released updated drivers to allow older equipment to work on newer operating system, but many computer users have substantial investments in the older devices, which would have to be replaced during an upgrade to the newer systems.

According to Browsium, a software company that publishes software that enables newer operating systems to function like Windows XP, 80 percent of the organizations with more than 10,000 computers in their systems never upgraded their operating systems to Windows 7.

The anemic market performance of Windows 8 to date is widely attributed to serious misgivings in the marketplace about Microsoft’s decision to “optimize” Windows 8 to run on touch-screen systems.

Recognizing, belatedly, that the majority of the upgrade candidates do not have touch screen computers,Microsoft recently issued an update for Windows 8 that makes it easier to use on systems that do not have touch screens.

In many cases, however, Windows XP users is simply do not want to put new shoes on an old horse. They do not want to upgrade their software until they have to upgrade their hardware, and they don’t want to have to upgrade their hardware just to run Microsoft’s new software.

In many cases, computers that run Microsoft XP perfectly well, will not be as successful with Windows 7 or 8 because the newer systems need more processing speed and more memory than the older systems. This forces customers who have to move up to Windows 8 to buy new hardware to run the new software.


The Microsoft business model is apparently intent on forcing customers to constantly upgrade software versions rather than rely on customers actually wanting to buy its products (and for the long term). Microsoft freely admits to building software that is incompatible with previous versions of the same product, though this is typically spun as being a trivial, harmless issue.


You can read more about the issue of Microsoft forcing upgrades here, here, and here.

Microsoft Reaction Muted

Microsoft’s immediate public reaction has been low-keyed, promising to get right on it….while skirting the issue of whether or not they will provide a fix for IE 6 so that Windows XP users can pick up where they left off and go about their business. That is not a likely course of events.

While there is little doubt that Microsoft’s decision to discontinue support for Windows XP was specifically motivated by their need to force computer users to upgrade to Windows 8, (due to Windows 8′s poor performance in the marketplace), but there is also little doubt that decision may have just created an enormous public relations problem for the company.

If Homeland Security is telling people not to use Internet Explorer, and Microsoft never fixes the older versions of Internet Explorer, it will be Homeland Security that will be blamed as hundreds of thousands of individuals and companies spend millions (if not billions) of dollars to upgrade to an operating system that most of them did not want in the first place.

A fix for the FLASH part of the problem is available from Adobe.

So far hackers have been using Adobe Flash as the delivery system for this attack. As of 4-28-2014, Adobe rushed out a fix for Flash to prevent this from happening. Click here to update to the latest Flash version.

Microsoft Workaround #1: "Enhanced Protected Mode"

Microsoft has offered a temporary user fix for Internet Explorer versions 10 and 11 but this is not automatic. Users have to go into the tools menu implement it themselves. And, like many security documents, the Microsoft advisory can be a bit confusing to those without a lot of technical experience.

You can click on any image to make it larger.


  • First, make sure you can see the menu bar in Internet Explorer.

  • If you don’t see a menu bar, right click on area near the top of the window and then click on Menu bar in the box that comes up:

  • Scroll to the bottom of the Tools menu (illustration is cropped — it’s actually quite long) and select Internet options:

  • In the Internet options menu, click on the Advanced tab and scroll down to the Security section. Check "Enhanced Protected Mode" if you are running Internet Explorer 10 or for Internet Explorer 11 select both Enhanced Protected Mode and  Enable 64-bit processes for Enhanced Protected Mode (for 64-bit systems)

  • Restart your system, which means completely reboot your PC.

Microsoft Workaround #2: Install EMET

If you want to stick with Internet Explorer, Microsoft recommends installing its Enhanced Mitigation Experience Toolkit version 4.1. EMET’s recommended configuration will make some tweaks to IE that reduce the threat.

However, it may cause some websites you use to stop working. And EMET is really mean for companies, so it’s not very user-friendly if you want to tweak settings. If you run into problems using it, uninstall it and switch browsers.


You can get EMET ( Enhanced Mitigation Experience Toolkit version 4.1.) here:

Download Instructions:

  1. On the EMET download page, click the big red Download button. It will ask you to select the files you want to download.
  2. Choose “EMET Setup.msi”. You can also download the user guide if you want to learn more about using the program. Then click Next.
  3. Choose where to save the file or files, and then once they’re saved, find and run the .msi file. Follow the directions. 
  4. When you get to the EMET Configuration Wizard, choose Use Recommended Settings. Then click Finish and Close.
Note to XP users: EMET will NOT improve your security. The tweaks it makes are to settings not available in XP. You must switch browsers or upgrade to a newer operating system.

About EMET:


On its own, Windows isn’t all that secure. That’s why you have to add third-party security software and be careful what links you open and files you download.

Part of this is because some of the settings Windows uses are good for flexibility and convenience, but bad for security. To help users adjust these settings, Microsoft makes the Enhanced Mitigation Experience Toolkit.

This program helps you tweak key Windows settings for extra safety. Of course, it can also break some programs and websites that rely on the settings it changes.

Also note that it’s meant for companies and advanced users. Its default settings work OK, but if you want to tweak anything, you really need to know what you’re doing.

If you install it and things you use often start breaking, it’s best to just uninstall it.

Switch to a Standard Account

If hackers break in to your computer using this security flaw, they can only use the Windows account that’s running Internet Explorer. That means if your account is set as a Standard account, it really limits what they can do. This is true of most other attacks as well.

If for some reason you or someone in your family insists on continuing to use Internet Explorer, please take the time to ensure that the computer is operating in a Standard account.

Learn the differences between a Standard and Administrator account, and how to switch your account over to Standard here:



Switch Browsers

This flaw only affects Internet Explorer, so switching to another browser will instantly stop the threat. Firefox and Chrome are both good free alternatives. If you want, you can switch back to IE once this flaw is fixed, but you might find you don’t want to.

IE currently owns 55 percent of the web browser market, according to NetMarketShare,with the rest being divvied up between Google Chrome, Mozilla Firefox, Apple Safari and Opera.

Those figures are contradicted by W3schools.com, whose figures show that IE only accounts for around 10 percent of the market, with Chrome holding 57.5 percent against Firefox’s 25.6 percent. Runner up Safari claims just 3.9 percent of the market, leaving 1.8 percent for Opera.

The NetMarketShare report reflects a cross-section of all computer users. W3schools statistics are based on data from visitors to their websites, who tend to be computer professionals, rather than end users.


Finally...

==> Make sure that your security software is up to date. This flaw lets hackers bypass most security software, but it’s still better to have it installed than not. Security software will catch most of the other threats out there – and there are a lot of threats out there.

If you do not have security software, or it is out of date, you can get FREE security software here: 

Remember, security software covers 3 areas:
  1. Antivirus
  2. Spyware/Malware
  3. (Software) Firewall

You should also have a router, even if you are the only computer in your office. Modern routers act as a NAT Firewall (Hardware). You should still have a software firewall on each computer as well.

You can read more about Hardware Firewalls vs. Software Firewalls here:

==> Back up your Data.

==> Be sure to update all software and your OS (operating system).

Governments, Businesses, and Other Institutions Warning Against IE

The New York Public Library suggests its uses to ditch IE and use Google Chrome instead.





The US and UK governments advised computer users to consider using alternatives to Microsoft's Internet Exploder browser until the company fixes a security flaw that hackers used to launch attacks.The Department of Homeland Security's U.S.

The Department of Homeland Security's U.S. Computer Emergency Readiness Team said in an advisory that the vulnerability in versions 6 to 11 of Internet Explorer could lead to "the complete compromise" of an affected system.

The UK National Computer Emergency Response Team told British computer users, that in addition to considering alternative browsers, they should make sure their antivirus software is current and regularly updated.



Thank you for reading.

No comments: