Yesterday we reported that a Zero-day exploit had been discovered in Microsoft’s flagship browser, Internet Explorer.  That report noted that only systems running Windows XP or Windows Server 2003 and Internet Explorer 7 were vulnerable.  That was a gross understatement.

This unpatched security hole in IE is now known to affect all versions of the browser up to, and including, the beta versions of Internet Explorer 8.  Microsoft is continuing to investigate and we expect an out-of-band security patch will be forthcoming.

To effectively protect your PC, Microsoft recommends setting the Internet Zone security level to High and using access control lists to disable Ole32db.dll.

Read More...

Even with all of the  fixes that Microsoft deployed with December's Patch Tuesday, they failed to address a serious heap overflow exploit within the XML parser. 

The exploit creates an XML tag, then pauses for a 6 second delay as it attempts to avoid detection from antivirus engines.  Once the time has passed, the exploit could crash the browser and execute malicious code when the browser restarts.

Read More...

The Microsoft Security Response Center (MSRC) has released the advanced notification listing for vulnerabilities being patched next Tuesday, and it's fairly big.  The latest release includes eight new security bulletins, six of which are Critical and two are Important.  As usual, the Microsoft Windows Malicious Software Removal Tool will also be updated.

Also coming on Tuesday December 9, 2008 are some high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS).

The latest round of security updates include two Critical Windows updates, Critical updates for Internet Explorer, Visual Basic, Word, and Excel.  You'll also see two Important updates for SharePoint and WMC.  Four of the eight new updates will require a restart of your systems.  All of the vulnerabilities could allow remote code execution or elevation of privileges.

For complete details, you can read the Microsoft Security Bulletin Advance Notification for December 2008.

Finally, the first releases of R2 for Windows Server 2008 are starting to roll out and the updates for Core are looking phenomenal!  The Server Core team blog published the details last week that include support for the .NET Framework. 

Here's a shortlist of some of the updates that they provided:

• Active Directory Certificate Services is now an available Server Role.
• WoW64 support for 32bit applications is now an optional feature in Server Core and is not installed by default.
• Added the following as optional features:
  • Subset of .NET Framework 2.0
  • Subset of .NET Framework 3.0 and 3.5 – WCF, WF, and LINQ
  • Windows PowerShell
  • ASP.NET and additional IIS support – the only IIS feature not available in Server Core is the management GUI
  • FSRM

The important thing to note about all of the above is that they are all optional so if you won’t be using them you don’t need to install, manage, and maintain them.

As a web application hosting provider, I can't wait to get my hands on the final release of R2 and get right to work with Server Core.  If you aren't familiar, Server Core allows you to create a no frills server installation that has a very small footprint.  The end result is a server that is more secure because it only contains the essential services and none of the extra junk.  It also means a significant savings in memory and hard disk usage, as well as less frequent patching.

[Via]

For those of you with WiFi routers in your home, you may or may not know how easily someone can hack your connection.  Many users never enable encryption to begin with.  That's like leaving your front door wide open 24 hours a day.  Those users that turn on encryption generally don't know what they are dealing with and sleep better knowing that they at least encrypted their wireless network.

Sadly, that's not enough.  Simple WEP encryption has long been known to be easily cracked, with the average hack taking less than 10 minutes to complete.  WPA encryption was brought out to increase the level of protection, however was also recently cracked... well partially.  For full details, check out this article on ARS Technica.

The good news is that it's easy to protect yourself.  All you have to do is log into your router and turn off Temporal Key Integrity Protocol (TKIP) as an encryption mode.  You can use Advanced Encryption System (AES) instead and maintain a decent level of security, as the current hack only applies to TKIP.  If you have a wireless network, I would strongly suggest doing that now.  You never know who is lurking about.

In a move that is sure to rattle the cages of their competitors, Microsoft has decided to drop the price of their consumer security suite by 100%.  Yep, it's going to be free.  Now you can be protected and you can keep your $49.95 for other things, like groceries.

The Windows Live OneCare service is actually a bundle of protection products that includes antivirus, antispyware, firewall, wireless networking security, and online identity theft protection.  This free deal kicks the pants off of the ZoneAlarm deal I posted this morning. 

Read More...

Well, it's Tuesday and that means for today only, you can download ZoneAlarm Pro for FREE!

Yes, you read that correctly!  To celebrate the 15th aniversary of Check Point (the company behind ZoneAlarm), they are giving away a one year subscription to their flagship security software free of charge.  The package normally sells for $39.95 for a one year subscription.

The download location for the free ZoneAlarm Pro package will go live at 6 AM PDT.

Read More...

On Tuesday AVG Technologies released an update for their AVG 8 antivirus product that falsely detects a Windows XP system file as a virus.  Specifically, it sees the file as a Trojan horse and users who delete this file are in for a shock.  Their system may enter into an infinite reboot loop, or worse, not even boot at all.  AVG immediately released a follow-up update that contained a fix for the false positive detection.  Users who are experiencing problems should acquire the fix tool from AVG.

The good news is that the update only affects AVG 8 products running on Dutch, Italian, Portuguese, and French versions of Windows XP. 

Read More...

Two Microsoft Security Bulletins have been released for November's Patch Tuesday.  Don't let the small number fool you, one is ranked critical and the other is ranked important - the two most serious rankings a security bulletin can be tagged with.

The critical patch affects XML Core Services in Windows and Office, while the important patch only affects Windows.  As usual, if exploited, the vulnerabilities could allow remote code execution.

Patch up people!  The patches will be made available through Windows Update on November 11.

Core Security Technologies says it has discovered a new critical security hole in Adobe Reader that could allow an attacker to take control of a computer running the software.  This newly found vulnerability affects Adobe Reader version 8.12.

Essentially, an attacker could embed malicious JavaScript code inside of a PDF.  According to CNET News, "Once the file is opened, the code could manipulate the program's memory allocation pattern and trigger the vulnerability to execute arbitrary code with the privileges of that user."

Sadly, a CoreLabs researcher discovered the vulnerability back in May, however Adobe has yet to patch this hole.  Similar vulnerabilities have been found in Adobe software in the past.