Microsoft Enables Removal of SSL 3.0 Fallback in IE

Last week, in addition to patching 14 vulnerabilities in Internet Explorer (IE), Microsoft gave Windows admins the ability to disable SSL 3.0 in IE 11 for Protected Mode sites. Doing so eliminates exposure to SSL attacks (also known as POODLE).

This change to IE 11 turns off the disabling of SSL 3.0 by default, but it will be turned on by default on February 10, 2015. This is Microsoft’s first step toward disabling SSL 3.0 by default in all of its online services.

Read the full story in the news.

See the status of disabling SSL 3.0 in the most popular browsers here.

Microsoft Security Updates for December 2014

Microsoft will be issuing seven security bulletins on Tuesday, December 9. Three are rated critical.

Systems affected are Exchange, Windows, all versions of Office, including for Mac and Internet Explorer. The Internet Explorer update affects all supported versions of IE, including the latest: IE 11. Some updates will require restarting your computer after installation.

The total number of updates from Microsoft will be 84 this year, with just 29 rated critical, which is an improvement over the past two years.

The updates will be available through the normal Windows Update process.

Read the full story in the news.

Improved Security for Internet Explorer

On September 9, 2014, Internet Explorer will release a new security feature, called “out-of-date ActiveX control blocking.” ActiveX controls are apps that let Web sites provide content, like videos and games, and also let you interact with content such as toolbars. Unfortunately, many ActiveX controls are not automatically updated. Malicious and compromised Web pages can target outdated controls to collect information, install dangerous software, or let someone else control your computer remotely.

The new feature works with IE 8 through IE 11 on Windows 7 SP1 and up, and on Windows Server 2008 SP1 and up. As of September, only out-of-date Oracle Java ActiveX controls will be affected. All other ActiveX controls will continue their existing behavior.

More information about outdated ActiveX control blocking.

Zero-Day Targets Internet Explorer

In a security advisory released late last week, Microsoft warns users of limited, targeted attacks attempting to exploit a vulnerability in Internet Explorer 6 through Internet Explorer 11, although the attack is only targeting IE9 through IE11.

The vulnerability has not been patched and is considered a significant zero-day virus as the vulnerable versions of IE represent about a quarter of the total browser market. We recommend applying a patch once available.

To read the details of how this exploit can occur, see this article.

What you can do to protect your computer:

  1. One mitigating factor is to download and install Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), a free tool that can strengthen security on Windows. Note that EMET 3.0 does not mitigate the attack, and users should rely on EMET 4.1. Krebs on Security discusses EMET here.
  2. Because the attack will not work without Adobe Flash, disabling the Flash plugin within IE will prevent the exploit from functioning.
  3. According to FireEye, the security lab that discovered the vulnerability, Enhanced Protection Mode (EPM) in IE10 and IE11 will prevent the exploit. It is not turned on by default. This article show how to enable EPM in IE.
  4. The fourth option is to use another browser until a patch has been released.

 

UPDATE AS OF 5/1/14:

Today Microsoft issued an out-of-band patch to fix a vulnerability in Internet Explorer 6 through 11. The zero-day exploit (CVE-2014-1776) was identified in targeted attacks against Internet Explorer 9 through 11 earlier this week.

Microsoft advises to download the security bulletin as soon as possible through Windows Update. For details on the patch see: MS14-021 : Security Update for Internet Explorer (2965111)

MIT WAUS has pushed the patch out to subscribers. Although a patch for IE on Windows XP was included in this fix, it is unlikely that the software company will do this again. Microsoft reminds customers still running Windows XP to upgrade to Windows 7 or 8 now.

Be sure to also use anti-virus software. Sophos Anti-Virus, available for free from the software download page, protects against this virus.

For further reading, See the story: Microsoft issues Internet Explorer security fix.

 

April 2014 Security Updates from Microsoft

Today, April 8, Microsoft is releasing four new security bulletins. Two of the bulletins are rated critical. Microsoft systems that will be affected:

  • Windows (all current operating systems and servers)
  • Internet Explorer (all supported versions)
  • Microsoft Word and Office for Mac
  • Microsoft Publisher 2003 and 2007

It is recommended to accept the updates. MIT WAUS subscribers will receive the updates after they have been tested for compatibility within the MIT computing environment. Installing the bulletins manually may require a restart.

One of the bulletins released today addresses the RTF (Rich Text Format) hole in Word (CVE-2014-1761), on all supported platforms, including on the Mac.

Microsoft Releases Security Advisory on Internet Explorer

MSFT_logo_pngMicrosoft released Security Advisory 2934088 – Vulnerability in Internet Explorer Could Allow Remote Code Execution – on February 19th.

A vulnerability in Internet Explorer 9 and 10 is subject to exploit. According to the advisory, an attacker could host a specially crafted website, convince a user to view the website and exploit the vulnerability if the site is viewed in Internet Explorer.

There is no current patch for this vulnerability, and Microsoft has not yet scheduled one, but they may provide a solution through the monthly security update release process or an out-of-cycle update. They do offer a temporary stopgap “fix it” measure, allowing affected services to go into restricted mode to block attacks.

Microsoft recommends users to avoid clicking on unsolicited links. It is also a good idea to use an alternative browser until the issue has been permanently fixed.

Read the full story in the news.

October 2013 Security Updates from Microsoft

MSFT_logo_png

On Tuesday, October 8, Microsoft is planning to release eight new security bulletins. Affected software:

  • Windows
  • Internet Explorer
  • Microsoft Office
  • Microsoft Office for Mac

It is recommended to accept the updates. MIT WAUS subscribes will receive the updates after they have been tested for compatibility.

The updates include a fix for a zero-day vulnerability in Internet Explorer, that is actively being exploited.