Microsoft plans patch for critical flaw in Word next Tuesday

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

It’s the first Thursday of October. Do you know what happens on the first Thursday of each month? Microsoft provides an advance notification of the security bulletins it plans to release on the second Tuesday of the month—more commonly known as Patch Tuesday.

Following an unusually light Patch Tuesday in September, Microsoft was forced to deal with the specter of a zero-day exploit being used in the wild to attack Internet Explorer. Microsoft responded with an out-of-band patch reflecting the urgent nature of the threat.

IT admins will be a little busier in October. According to the Microsoft Security Bulletin Advance Notification for October 2012, Microsoft has a total of seven new security bulletins slated for release next week. Six of the seven are rates merely as Important, while the seventh—a patch for a flaw affecting all supported versions of Microsoft Word—is rated as Critical for Word 2010.

Read more »

5

Microsoft pushes out critical security updates for Internet Explorer

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Microsoft has published an out-of-band security bulletin—MS12-063—to address a vulnerability that is being actively exploited in attacks in the wild. In addition, Microsoft also released an update to resolve a critical flaw in Adobe Flash in Internet Explorer 10—which is the default browser in Windows 8 and Windows Server 2012.

Microsoft has responded quickly in its investigation of reports that a zero-day vulnerability in Internet Explorer is being actively exploited. Microsoft issued a security advisory with workarounds, and mitigating factors to help customers guard against attacks pending a fix. Then, it released a one-click Fix-It tool to protect customers while kicking its developers in to high gear to create a more permanent fix.

Read more »

4

What you need to know about the Internet Explorer zero-day attacks

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Microsoft has confirmed reports that a zero-day vulnerability in its Internet Explorer Web browser is being actively attacked in the wild. While Microsoft works diligently to crank out a patch, it’s important for businesses and consumers to understand the threat, and the steps that can be taken to avoid compromise while you wait.

Microsoft has published a security advisory acknowledging the threat. According to Microsoft, the zero-day exploit affects Internet Explorer 7, 8, 9. Internet Explorer 10 is not impacted, but it’s not completely safe because it remains vulnerable to flaws in the embedded Adobe Flash.

The Microsoft advisory includes some tips that can be used to defend against this threat pending a patch for the underlying flaw. Microsoft recommends that customers use the Enhanced Mitigation Experience Toolkit (EMET) to implement mitigations that can prevent the zero-day exploit from working. In addition, Microsoft advises customers to set the Internet and local intranet security zone in Internet Explorer to “High” to block ActiveX controls and Active Scripting from running, or at least configure it to prompt before executing.

Read more »

6

Microsoft confirms patch for Flash in IE10 coming soon

Adobe recently issued an update for the popular Flash Player utility to patch critical flaws that could allow an attacker to run malicious code on the target system. But, if you’re using Windows 8, the version of Flash that Microsoft has embedded in Internet Explorer 10 is still vulnerable. Good news, though—an update is forthcoming to address that problem.

Adobe responds quickly to patch identified vulnerabilities, and most Windows users are conditioned to apply security updates as they’re released, but Microsoft is responsible for updating Flash in its Web browser. Windows 8 hasn’t yet officially launched, though, and Microsoft’s initial response was that Flash would not be updated until after October 26 when Windows 8 becomes available to the general public.

Microsoft baked Flash into IE10, so it's responsible for patching it.
A couple of the flaws addressed by Adobe were given its highest threat warning level, and are associated with attacks that are already circulating in the wild. Last week, Adobe confirmed that Windows 8 users are still vulnerable to these threats.

Read more »

1

The FBI’s Next Generation Identification program could spot faces in a crowded street

The FBI is getting ready to roll out a new nationwide program to better identify criminals called the Next Generation Identification (NGI) project. The new program is expected to add biometric data to Bureau’s toolkit with iris scans, DNA analysis, voice identification, and even the ability to pick out a person’s face in a crowded street using surveillance cameras.

[Credit: Wikimedia Commons]
The FBI and Lockheed Martin Transportation and Security Solutions, who won the NGI contract, have received $1 billon to make its NGI project a reality. According to New Scientist, a handful of states have already created a criminal photo database as part of a NGI pilot program that will go nationwide by 2014.

Theoretically, the NGI system would be able to use its mugshot database to pick out criminals in a crowd using a face-matching algorithm. The program would scan for faces in footage taken by security cameras or public images uploaded to the Internet. The algorithm would then return a number of hits for investigators to look into.

Read more »

1

Get ready: Microsoft is raising the bar for encryption keys

Great news! Next Tuesday is already Patch Tuesday for September, but Microsoft only has a couple of relatively minor updates lined up. Don’t get too comfortable, though—you need to prepare for the changes Microsoft is making next month for cryptographic keys.

Let’s start with Patch Tuesday. September is a dramatic departure from previous months. Unlike the many months that have been loaded down with multiple Critical updates, or the fact that Internet Explorer has been updated monthly for the past few months, Microsoft only has two security bulletins scheduled for this month.

Microsoft will soon consider any cryptographic key less than 1024 bits invalid.
The last couple of months have each had nine new security bulletins, and the average per month through August is 7.5. Two is a manageable number that will make many IT admins very happy. Throw in the fact that both of the security bulletins are rated as Important, and that they impact software or platforms that many businesses don’t even use, and some IT admins may essentially get this Patch Tuesday off free and clear.

Read more »

1

Apple device IDs hacked: What you need to know

A hacker collective known as AntiSec has published over a million Apple device IDs that it claims were captured from the laptop of an FBI agent. If you own an iPhone or iPad, you might be wondering what this hack means to you, and you might also be curious about why the FBI had your Apple UDID in the first place.

The information was acquired and released by the hackers as a political statement. The lengthy diatribe posted on Pastebin along with the hacked Apple ID info rants about government oppression and hypocrisy.

Why does the FBI have 12 million Apple device UDIDs on a laptop?
While the group has published one million and one hacked Apple device IDs, it should be given at least a little credit for restraint. The details stolen from the FBI laptop included more personal information as well—such as full names, cell phone numbers, addresses and zip codes.

Read more »

7