backtop


Print 65 comment(s) - last by MrPoletski.. on Dec 23 at 9:12 AM

A new security flaw discovered in Microsoft's Internet Explorer has the company and its customers losing much sleep

News broke in the security world earlier this week that a critical vulnerability had been found in Microsoft's Internet Explorer 7.  The vulnerability could be used to take over computers and is known to be currently being used to steal passwords.

Rick Ferguson, a senior security adviser at security firm Trend Micro says thus far the hole has only been exploited to steal online game passwords, but the attacks could become much more serious for unpatched users.  He states, "It is inevitable that it will be adapted by criminals. It's just a question of modifying the payload the trojan installs."

The seriousness of the flaw was evidenced by Microsoft's rather public announcement of the vulnerability and panicked rush to develop a patch.  So-called "out-of-band" announcements from Microsoft are rare. 

In this case it made such an announcement, stating in a press release, "Microsoft teams worldwide have been working around the clock to develop a security update to help protect our customers.  Until the update is available, Microsoft strongly encourages customers to follow the Protect Your Computer Guidance at www.microsoft.com/protect, which includes activating the Automatic Update setting in Windows to ensure that they receive the update as soon as it is available."

Microsoft has announced that it will have a patch for the vulnerability by 1800 GMT on 17 December, available via Windows Update.

Some experts have suggested that corporate and private users switch browsers, to an alternative such as Firefox, Opera, or Chrome until the security flaw is patched on affected systems.  Only Microsoft Internet Explorer 7 is vulnerable to this latest attack.

However, some security experts are cautioning that a switch may be equally problematic.  Says Graham Cluley, senior consultant with security firm Sophos, "Firefox has issued patches and Apple has too. Whichever browser you are using you have to keep it up to date.  People have to be prepared and willing to install security updates. That nagging screen asking if you want to update should not be ignored."

The report ironically follows fast on a report that Firefox is a dangerously vulnerable application for businesses.  Apple's Safari has also been blasted within the last year for poor security and patching

Even the security of major open source software, not a popular target for hackers who heavily use such software, was recently brought into question when a major encryption scheme was found to be broken.  All of these instances illustrating the growing challenge of computer security, the difficulty with being a market leader (and thus a mark), and need for diligence when it comes to patches and updates.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Where did you get this information?
By the goat on 12/17/2008 1:09:30 PM , Rating: 1
quote:
Even the security of major open source software, not a popular target for hackers who heavily use such software, was recently brought into question when a major encryption scheme was found to be broken.


Do you have a source for this statement? I strongly doubt most hackers use open source software.

Also stop harping on the Debian OpenSSL library mistake? It was not a huge issue at all. Repeating it over and over only makes Dailytech look ignorant.




RE: Where did you get this information?
By amanojaku on 12/17/2008 1:18:19 PM , Rating: 2
I disagree with both of your statements. Most hackers would user open source software or pirated commercial software: either way, they aren't paying for it and most aren't good enough to write their own compilers, assemblers, etc...

The OpenSSL issue was small because of luck, pure and simple. The exploit was around for two years and few people knew about it; had it been a Windows library you can be sure that would have been exploited before it left the building. It's popularity, not security, that kept that hole from becoming a problem.


By the goat on 12/17/2008 2:15:25 PM , Rating: 2
quote:
Most hackers would user open source software or pirated commercial software: either way, they aren't paying for it and most aren't good enough to write their own compilers, assemblers, etc...


I never said hackers pay for the software they use. If they are using pirated commercial software then they are not using open source software.


RE: Where did you get this information?
By Yawgm0th on 12/17/2008 1:33:41 PM , Rating: 2
quote:
Do you have a source for this statement? I strongly doubt most hackers use open source software.
If you had a clear idea of the definition of "hacker" outside of what the mainstream media uses, you'd realize virtually all hackers use open-source software, particularly open-source operating systems. It's almost a requirement to be considered a hacker.

If you are referring to malicious attackers, i.e. crackers, script kiddies, and the like, they still use open source software. This isn't because of any love of open source, per se, but because UNIX-like systems offer a far superior development platform for virtually any cracking tool. That doesn't give them too many choices outside of open source.

quote:
Also stop harping on the Debian OpenSSL library mistake? It was not a huge issue at all. Repeating it over and over only makes Dailytech look ignorant.
DailyTech loves to link to its own stories whenever they are remotely relevant. Mick in particular seems to do it frequently.


RE: Where did you get this information?
By Clauzii on 12/17/2008 1:58:45 PM , Rating: 1
"DailyTech loves to link to its own stories whenever they are remotely relevant. Mick in particular seems to do it frequently."

... which makes it extremely easy to track down a specific topic. Nice :)


RE: Where did you get this information?
By ebakke on 12/17/2008 3:34:48 PM , Rating: 2
So does the search bar in the top right. And that doesn't clutter the articles of interest to me.


RE: Where did you get this information?
By Clauzii on 12/18/2008 9:55:10 PM , Rating: 1
Clutter? Where??


By Clauzii on 12/19/2008 1:42:43 PM , Rating: 2
LOL, You guys are funny :)


By Jellodyne on 12/17/2008 5:34:03 PM , Rating: 2
Yeah, and there's a huge world of difference between "a major encryption scheme was found to be broken" and "an implementation of a major encryption scheme was found to be flawed" -- the second is what happened "recently", assuming you want to call March "recent". I mean its a big deal and all, but no worse than a bunch of Microsoft vulnerability, and easily patched.


"If you can find a PS3 anywhere in North America that's been on shelves for more than five minutes, I'll give you 1,200 bucks for it." -- SCEA President Jack Tretton














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki