Microsoft has begun a campaign to actively urge users of its 8-year-old Internet Explorer 6 browser to upgrade.
After launching IE 8 in March, Micosoft has concurred with critics that IE 6 is outdated. Many people have dropped the older browser, but the remaining users are often the tough cases--those who don't have a choice because of corporate computing policy or who aren't tech-savvy enough to realize there's a reason to move on.
This eBay 'Web slice'--basically a live bookmark in Internet Explorer 8--is part of Microsoft's effort to get people to upgrade from IE 6.
(Credit: Screenshot by Stephen Shankland/CNET)It's this latter population Microsoft is targeting with a campaign that runs through June 2010 that touts its own IE 8 as a better alternative. The campaign's first visible elements are a video aimed at online holiday shoppers and a Web slice to promote daily deals at eBay. Web slices are basically live bookmarks that can show miniature Web pages in the browser.
"What we're doing with the outreach is help users understand how to protect themselves against social engineering threats that exist and to help people understand how Internet Explorer 8 puts people in control of their own privacy online," said Ryan Servatius, senior product manager for Internet Explorer. Security was one of the big problems with IE 6, and Microsoft now boasts that security features in IE 8 block 2 million malware sites a day.
According to Net Applications' statistics, Internet Explorer 6 is still the most widely used browser, with 23.3 percent share of usage in October, followed by IE 7 at 18.2 percent and IE 8 at 18.1 percent. The newer browsers are gaining on IE 6, but so are rivals including Mozilla's Firefox, Apple's Safari, and Google's Chrome.
Web developers often gripe about having to support IE 6, which doesn't support many modern features for more sophisticated Web sites and even applications. Microsoft acknowledges that it's holding back development of the Internet, too.
"The best thing a user can do to advance the Web is to help move people off IE 6," Servatius said.
Of course, many will upgrade to IE 8 by buying Windows 7. IE 6 was the browser that shipped with Windows XP, which remains entrenched, but there are signs Windows 7 is a more compelling successor than Windows Vista. That could help the corporate customers move away from IE 6, Servatius said.
"As enterprises migrate from whatever operating system they're using today to Windows 7, that's going to help deprecate IE 6," he said. "What we're doing is working both with consumers worldwide and IT professionals to help them understand what the benefits of a modern browser are."
Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.
Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," according to a statement.
The exploit code was published to the BugTraq mailing list on Friday with no explanation.
"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content," Symantec wrote in a blog post this weekend.
"The exploit currently exhibits signs of poor reliability, but we expect that a fully functional, reliable exploit will be available in the near future," Symantec said. Symantec urges IE users to keep their antivirus software up-to-date, disable JavaScript, and visit only trusted Web sites, until Microsoft issues a patch for the hole.
Anyone believed to have been affected can visit Microsoft's Consumer Security Support Center, report it to the Internet Crime Complaint Center, and contact the FBI or law enforcement in the particular country, Microsoft said. U.S. residents can also call Microsoft's PC Safety Customer Service and Support number at 1-866-727-2338.
In July, critical holes in IE prompted Microsoft to issue a rare out-of-cycle (in other words, pre-Patch Tuesday) fix.
Mozilla and Microsoft don't always see eye to eye when it comes to browser technology, but they agree broadly on one thing: thumbs down for Google Chrome Frame.
Chrome Frame is a plug-in that puts Google's browser engine under the hood of Microsoft's Internet Explorer, and Google argues that it can modernize IE versions 6, 7, and 8 with faster page loading and JavaScript performance. It kicks in only on Web pages that Web developers have labeled with a specific tag. After Google announced it, Microsoft criticized it as creating a potentially increased risk to browsing security.
Google Wave is one site that suggests IE users install Google Chrome Frame.
(Credit: Google)Mike Shaver, vice president of engineering for Firefox backer Mozilla, published a different concern in a blog post Monday night.
"I certainly share that longing for a Web in which the vast majority of Web users enjoy the performance and capabilities we see in Chrome, Safari, Firefox, and Opera. Unfortunately, I don't think that Chrome Frame gets us closer to that Web," Shaver said.
Specifically, Shaver said Chrome Frame can disable IE features and muddle users' understanding of Web security matters. And users of the reviled IE 6 browser, he added, often won't be able to run Chrome Frame anyway because their computer is locked down to prohibit changes or lacks sufficient power in the first place.
"As a side effect, the user's understanding of the Web's security model and the behavior of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit. It is a problem that we have seen repeatedly with other stack plug-ins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5," he said.
Shaver's advice is to rely on that ages-old technique: an upgrade suggestion on the Web site.
"It would be better for the Web if developers who want to use the Chrome Frame snippet simply told users that their site worked better in Chrome and instructed them on how to install it," Shaver said. "The user would be educated about the benefits of an alternate browser, would understand better the choice they were making, and the kudos for Chrome's performance would accrue to Google rather than to Microsoft."
Microsoft released an emergency patch on Tuesday to protect Internet Explorer users from a hole in technology used to build ActiveX controls and other Web application components that has been targeted in attacks.
A critical patch for all versions of IE will protect consumers, while a security update for Visual Studio will help developers fix the controls and components they built that could be affected.
Microsoft also has had discussions with Adobe, Sun, and Google about some components involving their software that are affected, said Mike Reavey, director of the Microsoft Security Response Center. He declined to elaborate.
Internet Explorer users running Flash Player and Shockwave Player are vulnerable, Adobe said in a blog post that contains links to the Adobe security bulletins for those products.
A Google representative said the company has been working with Microsoft on the issues but declined to comment further. And a Sun representative did not respond to a call seeking comment.
Cisco will release free software updates for any of its software that is affected by the vulnerability and is making available workarounds that mitigate the issue, the company said in a detailed advisory.
The company released two security updates that deal with a vulnerability in Microsoft's Active Template Library, which is used to build components for Web applications and which could be targeted to take control of computers of Web surfers visiting sites hosting malicious code.
The critical update, MS-09034, is targeted at IE users and the other, MS-09035, is targeted at Visual Studio developers and is rated moderate. It affects Visual Studio 2005 and 2008.
"A library can get used in a lot of places, and vulnerabilities in libraries are challenging," Reavey said. "It's an industry-wide problem when (vulnerabilities) do happen."
"The vulnerability is in the controls, not IE, however to provide protections while developers update the controls, IE (versions that are patched will block attacks)," he said.
The company warned on Friday that a security update would come on Tuesday instead of waiting for the next Patch Tuesday cycle on August 11. This is only the ninth out-of-band release Microsoft has had, according to Reavey.
Microsoft first warned about the ActiveX issue on July 6, saying a vulnerability in its Video ActiveX Control could allow an attacker to take control of a PC if the user visits a malicious Web site and attackers were exploiting the hole. The company offered a workaround for the issue.
During the July Patch Tuesday release the following week, Microsoft still did not have a patch ready and was recommending a manual "kill bit" method to disable ActiveX, or sending customers to a "Fix it for me" Web site.
However, researchers figured out a way to get around the kill bit protection mechanism, thus rendering it ineffective and exposing the system to attack, said Eric Schultze, chief technology officer at Shavlik Technologies.
"Some security researchers found that they were able to bypass the kill bit function and still execute certain controls," he said in a statement on Tuesday. "A presentation on how this is done is slated for tomorrow afternoon at the Black Hat Conference" in Las Vegas.
"We were aware of limited attacks on the Microsoft kill bit control where the underlying issue was this vulnerability. As a result of those attacks we released the bulletin to protect customers...but that created chatter," Reavey said. "We saw more details released and we had these updates ready so we released them now instead of waiting for (attacks) to get worse."
The IE patch also resolves three privately reported vulnerabilities that could allow remote code execution if a user views a specially crafted Web page using the browser.
Tyler Reguly, senior security researcher for nCircle, criticized Microsoft for not fixing the underlying issue with a proper patch and said the update could put other software vendors at risk. "Although Microsoft has protected against the kill bit bypass and has patched the public ATL vulnerabilities, there has been no mention or reference to fixing the issue in msvidctl.dll itself," he wrote in a statement. "One has to question what the release of the ATL patch means for other software vendors," he added. "We also have to wonder if they are now more vulnerable than they were previously. They now have to obtain this patch and recompile and release their tools. This means until that process can occur, malicious individuals can reverse the patches to pinpoint each of the vulnerabilities and target third-party software. It's a race to see who will get there first, and the vendors didn't get a head start."
In response, a Microsoft representative provided this comment: "As part of our overall response to the ATL issue, we are continuing our investigation for Microsoft components and controls that may be affected by the ATL issue and will update customers as appropriate throughout the process." More information about the vulnerabilities and fixes is in this advisory. Microsoft also scheduled a Webcast at 1 p.m. PDT on Tuesday to answer customer questions.
Updated at 5:53 p.m. PDT with Adobe and Cisco information, Microsoft response to nCircle; and at 11:52 a.m. and 1:20 p.m. with reaction, more background, and a comment from Google.
In a rare move, Microsoft on Friday said it would be releasing security updates on Tuesday--outside of its monthly patch cycle--for a critical vulnerability in Internet Explorer and a moderate vulnerability in Visual Studio.
The two security bulletins will address one overall issue and are being released separately "to provide the broadest protections possible to customers," Microsoft said in a statement.
The vulnerabilities affect Windows 2000, Windows XP, Vista, Windows Server 2003 and 2008, Internet Explorer 6, 7 and 8, Microsoft Visual Studio .NET 2003, Visual Studio 2005 and 2008 and Visual C++ 2005 and 2008, according to the security bulletin advance notification.
"While we can't go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications," the statement said. "The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin."
"The Internet Explorer update will also address vulnerabilities rated as critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported," Microsoft said.
Customers who are current with their security updates are protected from known attacks related to the updates, the company said. The updates will be released through the Microsoft Update, Windows Update, and Windows Server Update services.
A Webcast to address customer questions is scheduled for Tuesday from 1 p.m. PDT to 2 p.m. at this site.
Microsoft typically releases security patches on a monthly basis, the second Tuesday of every month, and did not say why it is making this rare, out-of-cycle release.
Attackers are exploiting a new critical ActiveX hole in Microsoft Office to take control of PCs by luring Internet Explorer users to malicious Web sites, Microsoft said on Monday.
The zero-day hole, the third one announced by Microsoft in less than two months, is in Office Web Components ActiveX controls used to display and publish spreadsheets, charts, and databases to the Web.
It affects Office XP, Office 2003, Internet Security and Acceleration Server 2004 and 2006, as well as Office Small Business Accounting 2006.
The security advisory details a manual workaround, or people can use Microsoft's Fix-It tool to implement the workaround automatically.
Microsoft said it was working on a security update to patch the hole.
Antivirus vendor Sophos, meanwhile, said in a blog posting on its site that it had received reports of several Web sites, mostly in China, serving the exploit as part of a Web exploit kit that downloads and runs a Windows Executable detected as "Mal/Generic-A."
Microsoft on Monday warned of a vulnerability in its Video ActiveX Control that could allow an attacker to take control of a PC if the user visits a malicious Web site.
There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.
This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files.
Since there are no by-design uses for the ActiveX Control within Internet Explorer, Microsoft is recommending that users implement a workaround outlined in the security advisory. Customers can automatically implement the workaround by following the instructions under "Fix It For Me" in the Knowledge Base article for advisory number 972890 on the Microsoft support site.
Asked to explain what is meant by "no by-design uses," Christopher Budd, Security Response Communications lead, said: "In older operating systems like Windows XP that were originally developed under older programming methodologies, this ActiveX control was enabled for use within Internet Explorer by default to allow for possible future uses. These uses never materialized and as part of the more stringent security requirements that Windows Vista was developed under, this control was later disabled for use within Internet Explorer."
Even though Windows Vista and Windows Server 2008 are not affected by the vulnerability, Microsoft is recommending that users of those products also use the workaround.
Microsoft is working on a security update and will release it when the quality is at the appropriate level for broad distribution, the company said.
The Microsoft Video Control object is an ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording, and playing video. The control is the main component used in Windows Media Center for building filter graphs for recording and playing television video.
When it is used in IE, the control can corrupt the system state in such a way that arbitrary code could be run by an attacker. If the user is logged in with administrative rights, the attacker could take complete control of the system.
Antivirus vendor Symantec said it was seeing the flaw being exploited in China and other parts of Asia and cited reports that indicate thousands of Web sites are hosting the exploit.
Internet Explorer versions 6 and 7 are at risk, but people running IE 8 are not vulnerable, Symantec said.
Updated July 7 8:25 a.m. PDT with Microsoft explanation of "by-design," and July 6 at 11:45 a.m. PDT with background on a previous DirectShow hole and more details on exploits of the most recent hole.
Updated at 2:20 p.m. PDT with Adobe update released; at 12:25 p.m. PDT with Microsoft saying this is a record number of vulnerabilities addressed in Patch Tuesday; and at 11:45 a.m. PDT with comment.
Microsoft has released 10 security updates fixing a record number of Patch Tuesday holes, including one for a critical hole in Internet Explorer 8 that was exploited as part of a hacking contest at CanSecWest in March.
The bulletin addresses 31 vulnerabilities. "It's the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003," a Microsoft spokesman said.
The June security Patch Tuesday bulletin resolves eight vulnerabilities in IE, the more severe of which could allow remote code execution if a user views a specially crafted Web page. The IE8 vulnerability does not affect Windows 7 RC (build 7100), but does affect Windows 7 beta.
The updates also plug two critical holes in implementations of Active Directory on Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode installed on Windows XP Professional and Server 2003, the worse of which could allow an attacker to take control of a system remotely.
The security update fixes three critical vulnerabilities in Windows Print Spooler that could allow remote code execution if an affected server received a specially crafted RPC (remote procedure call) request.
Several vulnerabilities in Office Word and Excel are addressed in the update that could allow an attacker to remotely run code or take control of the machine using a specially crafted Word or Excel file. The update fixes the PowerPoint vulnerability Microsoft warned in April was being exploited in limited, targeted attacks that was fixed in the Windows version last month.
The update includes a patch for an important hole in its IIS Web server product that Microsoft reported in May.
"We didn't see any in-the-wild exploitations of the (IIS WebDav) vulnerability but typically when Microsoft releases those alerts they're doing it because a customer" has alerted them to an exploit, said Steve Manzuik, senior manager of security research at Juniper Networks.
Also fixed is a critical vulnerability in Microsoft Works Converters, important vulnerabilities in RPC and Windows Kernel. And Microsoft fixed a moderate vulnerability in Windows Search that could allow information disclosure if a user performs a search that returns a specially crafted file as the first result, or if the user previews a malicious file from the search results. By default, the Windows Search component is not preinstalled on Windows XP and Server 2003.
Products affected by the updates include Windows 2000, XP, XP Professional edition, Vista, Server 2003, Server 2008; Office 2000, 2003, 2007, and XP; and Microsoft Office 2004 and 2008 for the Mac.
Other affected software includes Office Excel Viewer; Office Word Viewer; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats; Works 8.5 and 9.0; and Office SharePoint Server.
The updates did not include a fix for a vulnerability in Microsoft's DirectX streaming media technology in Windows disclosed late last month that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.
"They probably didn't have time to QA (quality assurance test) it adequately," said Wolfgang Kandek, chief technology officer at Qualys. "It doesn't surprise me because look at how many vulnerabilities they had in this release. It must have been an enormous workload for these teams to fix all of these."
Adobe also issued security updates for Adobe Reader and Acrobat versions 7.x, 8.x, and 9.x for Windows and Macintosh on Tuesday in its first quarterly security update for its popular software for creating and reading PDF files.
The updates, available from Adobe's site, resolve critical vulnerabilities in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions that could cause the application to crash and could potentially allow an attacker to take control of the system.
Cybercriminals are exploiting a critical hole in Internet Explorer 7 that was patched a week ago by Microsoft, security firm Trend Micro warned on Tuesday.
The malicious code, which Trend Micro named "XML_DLOADR.A," is hidden in a Word document. On unpatched systems, when the file is opened an ActiveX object automatically accesses a Web site to open a backdoor that installs a .DLL (dynamic link library) file that can steal information, according to a Trend Micro blog entry. The code sends stolen data to another Web address via port 443, Trend Micro said.
As a result of the back door, "anybody can run commands on the affected system," said Jamz Yaneza, a senior threat analyst and researcher at Trend Micro.
Microsoft released a security patch for the vulnerability, and others, a week ago. The vulnerability arises from the browser's improper handling of errors when attempting to access deleted objects.
"It looks like a proof of concept or targeted attack," Yaneza said. The exploit is similar to politically motivated attacks that were seen before the Olympics last year in which PDF files and Word documents contained exploit code and automatically connected computers to malicious Web sites, he said.
It appears that the site directed to is in China and there is Chinese terminology in the code, according to Yaneza. That and the fact that the 50th anniversary of the Tibetan uprising is approaching, on March 10, suggests that this attack could be politically motivated as well, he said.
"People need to speed up how they patch their OSes, or turn on auto update in Windows," Yaneza said.
This graphic shows how the new IE7 exploit code works to install a backdoor on an unpatched computer.
(Credit: Trend Micro)Microsoft on Tuesday released security updates that fix four critical vulnerabilities in Internet Explorer and Exchange Server that could allow an attacker to take control of an affected computer remotely.
Microsoft Security Bulletin MS09-002 plugs two critical holes in IE that could allow remote code execution if an IE user views a Web page that has malicious code, according to Microsoft's notification.
"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," the bulletin said.
Security Bulletin MS09-003 fixes two critical vulnerabilities in Exchange Server. One could allow for remote code execution if a maliciously crafted TNEF (Transport Neutral Encapsulation Format) message is sent to an Exchange Server and could allow an attacker to take complete control of the system with Exchange Server service account privileges. The second hole could allow for a denial of service attack if a maliciously crafted MAPI (Messaging Application Programming Interface) command is sent to an Exchange Server.
Security Bulletin MS09-004 fixes an important remote code execution vulnerability in SQL Server that could be exploited if untrusted users access an affected system or if a SQL injection attack occurs. The vulnerability was discovered in December.
And Security Bulletin MS09-005 closes three important vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a maliciously crafted Visio file. An attacker could then steal data and make changes to accounts with full user rights.
The updates affect Internet Explorer 7, Windows XP Professional Edition, Windows Vista, Exchange 2000 Server, Exchange Server 2003 and 2007, SQL Server 2000 and 2005 and Office Visio 2002, 2003 and 2007.
Andrew Storms, director of security operations for security firm nCircle, predicted that while there were no known exploits for the Exchange vulnerability, attackers were likely working on them.
"All kinds of highly confidential and proprietary information pass through an Exchange server every day," he said in a statement. "Gaining control over it and its content would be a goldmine to any cybercriminal."
Meanwhile, the IE update is less critical because it requires action on the part of the user, Storms added.
As it always does, Microsoft had provided advance notification last week that it would have four security updates on Patch Tuesday.
Updated 12:30 p.m. PST with nCircle comment.
