Get Smart about Business Spending
A group of researches on Tuesday said 637 million Web users are surfing with outdated Internet browsers and therefore at greater risk of Web-based attacks.
Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas Dübendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analyzed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.
Overall the authors found that roughly 40 percent of users were using insecure versions of Web browsers. Among the least compliant were users of Internet Explorer, which currently dominates the Internet browser market.
The data was collected in mid-June 2008. The users were scattered among 78 percent Internet Explorer users, 16 percent Firefox, 3 percent Safari, and 0.8 percent for Opera. Of these, 52 percent were running the latest version of Internet Explorer, 92 percent for Firefox, 70 percent for Apple, and 90 percent for Opera.
The authors note that it has taken IE 7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE 7 or still had IE 6 installed.
Some of this has to do with how the respective vendors provide updates. IE 7 is currently offered as an auto-update with each monthly set of Microsoft security patches, yet a number of people are opting out of the upgrade and still running IE 6.
The study did not include use of insecure browser add-ons, such as older versions of Adobe Reader, because the data from Google contained only the browser info.
For mitigation, the study used comparisons to the food industry, arguing that people understand the need to buy the safest foods, why not browsers? People understand that food is perishable, so why not make Internet browsers display expiration dates? The authors provided an example of a browser that displayed in red in the upper right hand corner "145 days expired, 3 updates missed."
But unlike the food industry there is no liability for software vendors. And, the authors note, software vendors are not legally obligated to provide software updates.
Imagine if the food industry was not accountable for selling spoiled milk.
Microsoft on Tuesday released its June 2008 security bulletin, which includes three critical, three important, and one moderate patch.
Of the critical, one is for the Bluetooth stack in Windows XP and Windows Vista, one is for DirectX, and another is a cumulative update to Internet Explorer. The one moderate bulletin covers a flaw in the speech recognition feature in Windows 2000, XP, and Windows Vista. Of the important bulletins, one concerns Active Directory and another Pragmatic General Multicast (PGM). All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Titled "Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)", this bulletin is critical for users of Windows XP and Windows Vista (both 32-bit and 64-bit editions). The update addresses vulnerabilities detailed in CVE-2008-1453. The patch modifies the way that the Bluetooth stack handles a large number of service description requests. Microsoft says an attacker could use this to take complete control of an affected system; install programs; view, change, or delete data; or create new accounts with full user rights.
Titled "Cumulative Security Update for Internet Explorer (950759)", this bulletin affects all users of Windows. However, the critical designation only applies to users of Windows XP and Windows Vista; all others are deemed moderate or important by Microsoft. The update addresses vulnerabilities in CVE-2008-1442 and CVE-2008-1544. The cumulative patch fixes a couple of vulnerabilities including one that could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and another which could allow information disclosure if a user viewed a specially crafted Web page using Internet Explorer.
Titled "Cumulative Security Update of ActiveX Kill Bits (950760)", this bulletin affects users of Microsoft Windows 2000 Service Pack 4; all supported editions of Windows XP; and all editions of Windows Vista including Windows Vista Service Pack 1. The update addresses the issues in CVE-2007-0675. It fixes a publicly reported vulnerability for the Microsoft Speech API that could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the speech recognition feature in Windows enabled.
Titled "Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)", this bulletin affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-0011 and CVE-2008-1444. Microsoft says the vulnerability "could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled "Vulnerability in WINS Could Allow Elevation of Privilege (948745)", this bulletin affects all supported editions of Microsoft Windows 2000 Server and Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-1451. Microsoft says an attacker could use an elevation of privilege to take complete control of an affected system, and then install programs; view, change, or delete data; or create new accounts.
Titled "Vulnerability in Active Directory Could Allow Denial of Service (953235)", this bulletin is rated Important for all supported editions of Microsoft Windows 2000 Server, and rated Moderate for select editions of Windows XP Professional, Windows Server 2003, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1445. Microsoft says the vulnerability could be exploited to allow an attacker to cause a denial-of-service condition.
Titled "Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)", this bulletin is rated Important for all supported editions of Windows XP and Windows Server 2003 and rated Moderate for all supported editions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1440 and CVE-2008-1441. Microsoft says "an attacker who successfully exploited this vulnerability could cause a user's system to become non-responsive and to require a restart to restore functionality. Note that the denial-of-service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests."
Microsoft is planning seven security bulletins for its Patch Tuesday this month, the company announced Thursday.
Three of the bulletins are deemed critical by Microsoft, and cover Bluetooth, Internet Explorer, and DirectX. The Internet Explorer bulletin is expected to be cumulative and might include some remediation for the Safari for Windows vulnerability disclosed last month by Nitesh Dhanjani.
Three of the bulletins are termed important, and cover WINS, Active Directory, and PGM. One of the bulletins is considered moderate and covers kill bits.
The bulletins will be released on Tuesday.
On Thursday, Microsoft announced it will release eight security bulletins next week. The news is intended as a heads-up for IT departments in advance of Patch Tuesday.
Of the eight patches, five are considered "critical," and three are considered "important" by the software giant.
Among the critical patches, one will affect Microsoft Office, two will affect Windows, and two will affect the Internet Explorer browser. Of the important patches, Microsoft says one will affect Microsoft Office and two will affect Windows. The potential vulnerabilities include spoofing and remote code execution.
If you use the RealPlayer on Internet Explorer, watch out. Researcher Elazar Broad has posted to the Full Disclosure mailing list a so-called heap overflow vulnerability that makes it possible for an attacker to modify heap blocks after they are freed and overwrite certain registers. This could allow code execution on a compromised machine. The vulnerability affects all versions of RealPlayer running under Internet Explorer.
Exploit code for this flaw has not yet been made public.
Without a patch from RealPlayer, security experts recommend disabling the killbit for the following ActiveX ClassIDs:
- 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
- CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA
To avoid the loss of functionality, security experts recommend using RealPlayer in a browser that doesn't support ActiveX, such as Mozilla Firefox (for Windows and Mac).
With its February 12, 2008, Patch Tuesday release, Microsoft has decided, for security reasons, to push out Internet Explorer 7, even to businesses that have previously blocked the automatic upgrade.
According to this Microsoft knowledge base article the software giant will release the Windows Internet Explorer 7 Installation and Availability update to Windows Server Update Services (WSUS) marked as an Update Rollup package. Microsoft says for business customers who have "set WSUS to 'auto-approve' Update Rollup packages (this is not the default configuration), Windows Internet Explorer 7 will be automatically approved for installation." Microsoft introduced the delay feature to give companies a chance to test the browser.
In particular, Microsoft says companies that need to take action before February 12 include those that:
Use WSUS 3.0 to manage updates in their organization Have Windows XP Service Pack 2 (SP2)-based computers or Windows Server 2003 Service Pack 1 (SP1)-based computers that have Internet Explorer 6 installed Do not want to upgrade Internet Explorer 6 machines to Windows Internet Explorer 7 at this time Have configured WSUS to auto-approve Update Rollups for installation
The knowledge base article cited above provides step-by-step instructions for companies wishing to continue to block the automatic installation of Internet Explorer 7.
This February rollup package does not apply to Windows Vista users since that operating system shipped with Internet Explorer 7.
- prev
- 1
- next
