Archive for the ‘Internet Explorer’ Category

Update: Hacker Disclosed 4 New Microsoft Zero-Day Exploits in Last 24 Hours

May 23rd, 2019
Less than 24 hours after publicly disclosing an unpatched zero-day vulnerability in Windows 10, the anonymous hacker going by online alias "SandboxEscaper" has now dropped new exploits for two more unpatched Microsoft zero-day vulnerabilities. The two new zero-day vulnerabilities affect Microsoft's Windows Error Reporting service and Internet Explorer 11. Just yesterday, while releasing a

Posted in cyber security, hacking news, Internet Explorer, microsoft, sandbox bypass, windows security, windows Vulnerability, Windows zero-day vulnerability, Zero-Day Vulnerability | Comments (0)

Ex-YouTube engineer reveals how video site worked to kill off Internet Explorer 6

May 2nd, 2019
Ex-YouTube engineer reveals how video site worked to kill off Internet Explorer 6

(credit: Aurich Lawson)

The year is 2009. YouTube, four years old, has become the Web's leading video site. Though Internet Explorer 6 was far from current—it had been superseded by versions 7 and 8—it nonetheless made up some 18 percent of YouTube's traffic. These were, after all, the dark days of Windows XP; corporations had overwhelmingly stuck with Windows XP in spite of the release of Windows Vista, and Windows 7 was still some months from release. Many organizations still running XP appeared to be wishing for a kind of computational stasis: they wanted to be able to run Windows XP and Internet Explorer 6 forever, unchanging, which would greatly simplify their maintenance and support costs.

But Internet Explorer 6 was nearly eight years old and seriously showing its age. On its release, the browser had a legitimate claim to be the best, fastest, most standards compliant, and most stable mainstream browser around. But those days were long gone. Compared to the alternatives—Firefox 3.5, Internet Explorer 8, and Google's Chrome—it was slow, unstable, and riddled with proprietary, non-standard behaviors. This was causing the team developing YouTube considerable pain, with weeks of extra work each development cycle to ensure that the site still worked correctly in the old browser.

According to former YouTube developer Chris Zacharias, this pain prompted the YouTube team to take renegade action to drive users away from Internet Explorer 6 and onto something newer and better. Though YouTube had been under Google's ownership for about three years, YouTube's engineers were suspicious and wary of being integrated into Google's corporate machine. They had their own special set of permissions named "OldTuber," and anyone with OldTuber permissions could freely modify the YouTube site without going through Google's usual change management process of code reviews, testing, adherence to coding standards, and so on. It was cowboy territory, where developers could do as they liked. Only the risk of breaking things—and hence losing OldTuber permissions, if not their job—kept them on the straight and narrow.

Read 6 remaining paragraphs | Comments

Posted in browsers, chrome, development, google, Internet Explorer, Internet Explorer 6, microsoft, standards, Tech, YouTube | Comments (0)

Unexpected security feature in Microsoft Edge could allow for file theft

April 19th, 2019
Unexpected security feature in Microsoft Edge could allow for file theft

Enlarge (credit: Brian Smithson / Flickr)

A researcher has uncovered strange and unexpected behavior in Windows 10 that allows remote attackers to steal data stored on hard drives when a user opens a malicious file downloaded with the Edge browser.

The threat partially surfaced last week when a different researcher, John Page, reported what he called a flaw in Internet Explorer. Page claimed that when using the file manager to open a maliciously crafted MHT file downloaded with Internet Explorer, the browser uploaded one or more files to a remote server. According to Page, the vulnerability affected the most recent version of IE, version 11, running on Windows 7, Windows 10, and Windows Server 2012 R2 with all security updates installed. (It’s no longer clear whether any OS other than Windows 10 is affected, at least for some users. More about that in a moment.)

Below this paragraph in Page's post was a video demonstration of the proof-of-concept exploit Page created. It shows a booby-trapped MHT file triggering an upload of the host computer's system.ini file to a remote server. Interestingly, while Page's post says his exploit is triggered when the malicious file is downloaded by IE, and makes no mention of Edge at all, the video shows the file being downloaded with the newer Microsoft browser.

Read 15 remaining paragraphs | Comments

Posted in Biz & IT, EDGE, exploits, Internet Explorer, vulnerabilities, Windows | Comments (0)

Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly

March 30th, 2019
Exclusive — A security researcher today publicly disclosed details and proof-of-concept exploits for two 'unpatched' zero-day vulnerabilities in Microsoft's web browsers after the company allegedly failed to respond to his responsible private disclosure. Both unpatched vulnerabilities—one of which affects the latest version of Microsoft Internet Explorer and another affects the latest Edge

Posted in hacking news, Internet Explorer, microsoft, Microsoft Edge browser, Microsoft Internet Explorer, Same Origin Policy Bypass, Vulnerability, Zero-Day Vulnerability | Comments (0)

Microsoft patches zero-day vulnerabilities in IE and Exchange

February 13th, 2019
The Microsoft logo displayed at Microsoft's booth at a trade show.

Enlarge (credit: Getty Images | Justin Sullivan)

Microsoft’s Patch Tuesday this month had higher-than-usual stakes with fixes for a zero-day Internet Explorer vulnerability under active exploit and an Exchange Server flaw that was disclosed last month with proof-of-concept code.

The IE vulnerability, Microsoft said, allows attackers to test whether one or more files are stored on disks of vulnerable PCs. Attackers first must lure targets to a malicious site. Microsoft, without elaborating, said it has detected active exploits against the vulnerability, which is indexed as CVE-2019-0676 and affects IE version 10 or 11 running on all supported versions of Windows. The flaw was discovered by members of Google’s Project Zero vulnerability research team.

Microsoft also patched Exchange against a vulnerability that allowed remote attackers with little more than an unprivileged mailbox account to gain administrative control over the server. Dubbed PrivExchange, CVE-2019-0686 was publicly disclosed last month, along with proof-of-concept code that exploited it. In Tuesday’s advisory, Microsoft officials said they haven’t seen active exploits yet, but that they were “likely.”

Read 2 remaining paragraphs | Comments

Posted in Biz & IT, Exchange Server, exploits, Internet Explorer, microsoft, vulnerabilities | Comments (0)

Microsoft: Yeah, we make Office 2019 and Internet Explorer, but don’t use ‘em

February 8th, 2019

Two twins race to complete a PowerPoint challenge.

In an unusual turn of events, Microsoft this week warned Windows users off from using its Internet Explorer and dissed its new Office 2019 suite in a series of videos that show it to be worse than the competition.

While Windows 10 uses the newer, faster, much more standards compliant Edge browser as its default, it still ships with Internet Explorer 11. Enterprise customers with legacy systems from time to time want to make Internet Explorer 11 the default, but Microsoft doesn't think this is a good idea. Internet Explorer 11 isn't being updated to support new Web technology (and indeed, hasn't been updated for many years), existing only as a compatibility tool to access legacy "designed for Internet Explorer" content that simply won't work properly in any other browser.

As such, while it might be tempting to set Internet Explorer as the default to ensure that any intranet and line-of-business applications continue to work, that comes at a price. It will be slower, less secure, and increasingly incompatible with the broader Web as developers drop the old browser from their testing. So please, use it only when it's absolutely necessary.

Read 2 remaining paragraphs | Comments

Posted in Internet Explorer, microsoft, office, productivity, Tech, Web | Comments (0)

Microsoft issues emergency update to fix critical IE flaw under active exploit

December 20th, 2018
Microsoft issues emergency update to fix critical IE flaw under active exploit

Enlarge (credit: Microsoft)

Microsoft has issued an emergency update that fixes a critical Internet Explorer vulnerability that attackers are actively exploiting on the Internet.

The memory-corruption flaw allows attackers to remotely execute malicious code when computers use IE to visit a booby-trapped website, Microsoft said Wednesday. Indexed as CVE-2018-8653, the flaw affects all supported versions of Windows. The vulnerability involves the way Microsoft's scripting engine handles objects in memory in Internet Explorer.

In a separate advisory, Microsoft said the vulnerability is being used in targeted attacks, but the company didn't elaborate. Microsoft credited Clement Lecigne of Google's Threat Analysis Group with discovering the vulnerability. No other details were available about the vulnerability or exploits at the time this post was being reported.

Read 1 remaining paragraphs | Comments

Posted in Biz & IT, exploits, Internet Explorer, microsoft, vulnerabilities, Windows | Comments (0)

Chrome, Firefox, Edge and Safari Plans to Disable TLS 1.0 and 1.1 in 2020

October 15th, 2018
All major web browsers, including Google Chrome, Apple Safari, Microsoft Edge, Internet Explorer, and Mozilla Firefox, altogether today announced to soon remove support for TLS 1.0 (20-year-old) and TLS 1.1 (12-year-old) communication encryption protocols. Developed initially as Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) is an updated cryptographic protocol used to

Posted in Apple Safari, Firefox, Google Chrome, Internet Explorer, Microsoft Edge browser, safari update, SSL Certificate, SSL TLS security, TLS encryption, Web browser security | Comments (0)

It’s the final countdown for SHA-1 SSL certificates

November 23rd, 2016

Apple, Microsoft, Google and Mozilla finally set roadmaps for deprecating venerable but outdated SHA-1 certificates

Posted in Apple Safari, Certificates, Firefox, Google Chrome, Internet Explorer, SHA-1, SSL, Web Browsers | Comments (0)

Microsoft Releases 12 Security Updates (5 Critical and 7 Important Patches)

September 9th, 2015

With the release of 12 Security Bulletins, Microsoft addresses a total of 56 vulnerabilities in its different products. The bulletins include five critical updates, out of which two address vulnerabilities in all versions of Windows.

The September Patch Tuesday update (released on second Tuesday of each month) makes a total of 105 Security Bulletins being released this year; which is more

Posted in Denial of Service, Internet Explorer, Microsoft Edge browser, Microsoft Patch Tuesday, privilege escalation, Remote code execution vulnerability, Security patch Update, Vulnerability | Comments (0)