One depressing aspect of modern technology is its failure to tackle security in a serious way. Almost on a weekly basis we hear of data breaches, lost passwords and patches.
In the last few days, manufacturers have rushed out updates to their products to fix newly discovered exploits.
Internet Explorer is a frequent culprit and even US service personnel were affected by it. So, if you wish to remain secure stop using IE!
However, it is not just early versions of IE that are the problem, ZDnet reports:
“Microsoft has issued a security advisory for a vulnerability in Internet Explorer 9 and 10 being exploited in the wild.
We wrote last week on the initial reports of exploits in the wild, as reported by security firm Fireeye. Fireeye and Symantec are both credited in the Microsoft advisory as having worked with Microsoft on the issue.
The vulnerability is a “use after free” remote code execution vulnerability. As in the case found by Fireeye, it can lead to a system being taken over if the user is lured to visit a web site in a vulnerable browser. The vulnerability does not, on its own, elevate privilege, so if the user is running unprivileged, the exploit will also be unprivileged.
Internet Explorer 9 is vulnerable according to Microsoft, although the actual exploits in the wild are only targeting Internet Explorer 10. Microsoft says that IE versions 6, 7, 8 and 11 are not vulnerable, so if you are on a platform which supports it, upgrading to IE 11 will address the issue.”
“Abobe planned to release an emergency update for Flash Player on Thursday, after security vendor FireEye pointed to a zero-day exploit used by attackers to target visitors to websites of three nonprofits, two of which focus on national security and public policy.
The Flash exploit allowed attackers to target users of the websites of the Peterson Institute for International Economics at PIIE.com, the American Research Center in Egypt at ARCE.org and the Smith Richardson Foundation at SFR.org. The exploit can compromise Flash users on Windows XP or those with Windows 7 who have Java 1.6 or an outdated version of Microsoft Office 2007 or 2010 installed, FireEye said.”
Malwarebytes blog is more direct:
“The following versions and operating systems are affected:
Adobe Flash Player 184.108.40.206 and earlier versions for Windows and Macintosh
Adobe Flash Player 220.127.116.116 and earlier versions for Linux
Adobe AIR 18.104.22.1680 and earlier versions for Android
In order to bypass Address Space Layout Randomization (ASLR) protection in Windows, this attack relied on either one of the following configurations:
Windows 7 and Java 1.6
Windows 7 and outdated Microsoft Office 2007/2010″
Finally, even Windows Update gets patched:
“Microsoft has released a non-critical, non-security update to fix a bug in the Windows Update system in certain versions of Windows.”