Internet Explorer hit by serious vulnerability – MS issues security patch – Windows XP Included


Microsoft has reported that a security flaw in its Internet Explorer browser could allow hackers to access your personal information especially if you are still using Windows XP.

The bug has been found to affect IE versions 6 through 11 and was found by Microsoft’s security company FireEye. The company says that the flaw leaves around 56 percent of the browser market vulnerable to attack. The bug has been classified as a “Zero Day” flaw which gives victims zero warnings before attack.

The flaw is a remote code execution vulnerability which means that a hacker can successfully run software on a victim’s computer after attack. Microsoft issued a security alert which said that “the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. The phrase “arbitrary code” means pretty much any software that the attacker chooses to run.”

In short, a hacker could install programs, view and delete data simply by visiting a website that you are running at the same time on your IE.

FireEye has said that a gang of attackers has already launched a campaign exploiting the flaw. Microsoft reported that IE9 through IE11 versions are the worst-hit as the three versions of IE account for almost 26 percent of the web browsers currently in use around the world. The software giant has said that Internet Explorer 10 and 11 are safe from the flaw only if the Enhanced Protected Mode in these browsers is turned on. The company is currently working on fixing the problem and might soon come out with an update.

UPDATE : Microsoft is issuing a fix for the “zero-day” vulnerability found in Internet Explorer last week. The update should be rolling out to all users any time now. In addition to updating Internet Explorer, Microsoft is also providing a fix for Windows XP, despite the fact that the operating system is no longer officially supported. The fix was issued because support for XP ended recently.

Source : Microsoft.

Heartbleed bug: What you need to know


What is Heartbleed bug?

Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords.

heartbleed

The issue is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160.

The damage caused by the “Heartbleed” bug is currently unknown. The security hole exists on a vast number of the internet’s web servers and went undetected for more than two years. While it’s conceivable that the flaw was never discovered by hackers, it’s nearly impossible to tell.

There isn’t much that people can do to protect themselves until the affected websites implement a fix.

Why is it a big deal?

Heartbleed affects the encryption technology designed to protect online accounts for email, instant messaging and e-commerce. It was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google researcher who was working separately.

It’s unclear whether any information has been stolen as a result of Heartbleed, but security experts are particularly worried about the bug because it went undetected for more than two years.

How does it work?

Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed. Interlopers can also grab the keys for deciphering encrypted data without the website owners knowing the theft occurred.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

Which sites are affected?

There are half a million believed to be vulnerable so too many to list but there is a glut of new sites offering users the chance to check whether the online haunts they use regularly are affected.

The LastPass website  has compiled a list as has new websiteMashable . Meanwhile security firm Kaspersky directs people to theHeartbleed test.

While Facebook and Google say that they have patched their services, according to the Kaspersky blog,  there is a long list of sites that are still vulnerable, including Flickr, OkCupid and Github.

One of the biggest tech firms remaining on the vulnerable list was Yahoo but, as of last night, it too seemed to have remedied the problem saying it “had made the appropriate corrections across our entire platform”.

Many more sites will spend the coming days scrambling to do the same.

Bruce Schneier called on internet companies to issue new certificates and keys for encrypting internet traffic. Doing so would render stolen keys useless, he said.

Worst case scenario

The bad news, according to a blog from security firm Kaspersky  is that “exploiting Heartbleed leaves no traces so there is no definitive way to tell if the server was hacked and what kind of data was stolen”.

Security experts say that they are starting to see evidence that hacker groups are conducting automated scans of the internet in search of web servers using OpenSSL.

And Kaspersky said that it had uncovered evidence that groups believed to be involved in state-sponsored cyber-espionage were running such scans shortly after news of the bug broke.