Microsoft has issued an emergency update to patch a critical vulnerability that affects all supported versions of Internet Explorer. If you haven’t already installed the fix, it’s recommended that you do so ASAP as hackers are said to be actively exploiting it. Here’s everything you need to know.
Security bulletin MS15-093 pertains to a remote code execution flaw found in found in all supported versions of Internet Explorer (IE7 and newer; Microsoft’s Edge browser for Windows 10 isn’t at risk) including 32- and 64-bit variants.
Specifically, the vulnerability deals with improperly accessing objects in memory which could subsequently corrupt memory in a manner that allows an attacker to run code remotely. Said hacker could also gain the same user rights as the current user. As such, those with full admin rights are at a greater risk than users with restricted access.
Microsoft says an Internet Explorer user visiting a specially crafted website designed to exploit the flaw could become victimized. What’s more, attackers don’t need their own site as the bug can be exploited over ad networks used on legitimate sites. Getting users to a compromised or crafted page is actually easier than it sounds as a phishing attempt via e-mail would certainly do the trick.
Again, Microsoft notes that the vulnerability is being actively exploited although it didn’t provide any further details on the matter. Users can grab the patch via Windows Update or obtain the standalone fix via the Microsoft Download Center.
If there’s one thing websites love to do it’s track their users. Now, it looks like some browsers can even be tracked when they’re in private or incognito mode. Sam Greenhalgh of U.K.-based RadicalResearch recently published a blog post with a proof-of-concept called “HSTS Super Cookies.” Greenhalgh shows how a crafty website could still track users online even if they’ve enabled a privacy-cloaking setting.
The key to the exploit is to use HTTP Strict Transport Security (HSTS) for something it wasn’t intended for. HSTS is a modern web feature that allows a website to tell a browser it should only connect to the site over an encrypted connection.
Say, for example, John types SecureSite.com into his browser with HSTS enabled. SecureSite’s servers can then reply to John’s browser that it should only connect to SecureSite over HTTPS. From that point on, all connections to SecureSite from John’s browser will use HTTPS by default.
The problem, according to Greenhalgh, is that for HSTS to work your browser has to store the data about which sites it must connect to over HTTPS. But that data can be manipulated to fingerprint a specific browser. And because HSTS is a security feature most browsers maintain it whether you’re in private or normal mode—meaning that after your browser has been fingerprinted, you can be tracked even if your browser is in incognito mode.
Even under cover of incognito mode, HSTS Super Cookies still make browsers trackable.
When in private browsing or incognito mode (sometimes called as “porn mode”) your browser won’t store data such as cookies and browsing history once the private browsing session has ended—unless it’s tricked into doing so by a Super Cookie.
The story behind the story: Although Greenhalgh’s blog post is gaining traction, people have been talking about the privacy and security trade-offs of HSTS for some time. The Chromium team, which creates the open source browser that Chrome is based on, discussed the issue as early as 2011. In 2012, security firm Leviathan published a blog post raising similar concerns, and Robert “RSnake” Hansen raised the issue on his blog ha.ckers.org in 2010.
Although this issue has been known for some time it’s not clear if any sites are actually using this weakness to track users. Regardless, you can protect yourself on Chrome by erasing your cookies before going into incognito mode. Chrome automatically flushes the HSTS database whenever you delete your cookies. Firefox does something similar, but Greenhalgh says the latest version of Firefox solved this issue by preventing HSTS settings from carrying over to private browsing modes.
Safari is a bigger problem, however, as there is apparently no obvious way to delete the HSTS database on Apple devices like the iPad or iPhone, Greenhalgh says. HSTS flags are also synced with iCloud, making HSTS Super Cookie tracking even more persistent (at least in theory) when using Apple hardware.
HSTS Super Cookies only appear to work if you first visit a site in a non-private mode. Anyone visiting a site for the first time in private mode will not carry over an HSTS super cookie to their regular browsing.
As for Internet Explorer users, the good news is you are completely protected from this type of tracking! Now for the bad news: It’s because IE doesn’t support HSTS at all.
Version 11 might be the end of the line for Microsoft’s Internet Explorer, according to sources speaking to expert Microsoft analyst Mary Jo Foley. Instead of retooling the browser yet again for its next operating system and calling it Internet Explorer 12, Foley says that Microsoft will instead ship a wholly new Web browser with Windows 10, with IE11 riding along as a backwards-compatible alternative.
The new browser is currently under development at Redmond and has the project codename of “Spartan.” A formal brand name for it has yet to be announced, but Foley notes that Microsoft employees mentioned in a Reddit AMA a few months ago that Microsoft had considered potentially discarding the “Internet Explorer” name and brand. That branding turns 20 years old in August 2015 and has two decades’ worth of mental associations and baggage—some of it positive, much of it extremely negative. It seems certain at this point that “Spartan,” when it ships, will not do so under the IE brand umbrella.
Spartan is expected to be lighter and quicker than Internet Explorer 11; it will include proper extension support as well. It’s also supposed to come in desktop and mobile versions for inclusion with both the desktop and mobile versions of Windows 10. Foley speculates that Microsoft may give the public a peek at Spartan near the end of January with the next big Windows 10 reveal, but it’s unclear whether or not the browser will make it into the next Windows 10 Technical Preview.
If you’ve noticed Internet Explorer running slowly lately—or just halting altogether—here’s one possible cause: dialog boxes.
On Friday, the same day that Microsoft recommended users download the latest updates for Windows 7 and 8, Microsoft issued a hotfix for Internet Explorer. According to a support article issued Friday, “web applications that implement consecutive modal dialog boxes may cause Internet Explorer to become slow and unresponsive over time.”
Microsoft issued the hotfix for Internet Explorer versions 7 through 11—basically every major version.
What’s a “modal dialog box”? It’s a dialog box that an application interjects, forcing you to take some action. It could be, for example, a box asking what to do with a downloaded file, or a query confirming that you really want to close a window. If they happen consecutively, IE’s performance could slow, or the browser could simply stop working altogether.
dialogue box 2 Internet Explorer
One example of a modal dialog box.
Note that only users who stay up to date with Internet Explorer are being penalized. Specifically, if you’ve updated the MS14-037 or MS14-051 cumulative security updates, you’re vulnerable.
Microsoft’s support page lists the updates you’ll need to apply, which for now is nothing more than an update package. You’ll need to restart your PC to apply it.
Unfortunately for Microsoft, Friday was one of those days you’d like to forget. Fortunately, Microsoft’s hotfix for Internet Explorer is a much simpler update than the registry fixes you’ll need to apply to back out of the botched August update that Microsoft began rolling out this week. Either way, it’s still a headache that you’ll need to deal with either tonight or when you return to work on Monday morning.
Microsoft has released their advance notification for the August 2014 Patch Tuesday updates. There will be a total of nine updates issued next Tuesday, August 12, two of them rated critical.
The two critical bugs affect Windows and Internet Explorer. The critical Windows update affects only business and professional editions of Windows 7 and Windows 8. The Internet Explorer update affects all versions on all supported platforms. The remaining seven updates are rated important and affect Windows, Office, SQL Server, the .NET Framework and SharePoint Server 2013.
Microsoft will also release a new version of the Windows Malicious Software Removal Tool and probably some as-yet undisclosed number of non-security updates to various Windows versions. It has also become popular for other companies, most prominently Adobe, to release security updates for their own products on that day.
As announced earlier this week, Microsoft will also be releasing a change to Internet Explorer on Tuesday that will cause it to warn users when the browser attempts to load an ActiveX control which is on a Microsoft-maintained list of old and out-of-date controls. Initially, the list will contain only old Java versions.
Windows 8 and Internet Explorer, especially version 11, have been growing steadily since their release. But that growth came to a halt in June, and it didn’t pick up in July, with Microsoft’s new operating system in fact declining ever so slightly. But one battle that’s been raging for years has quietly seen a big change: Android’s presence on the Web has passed iOS’s.
The big desktop mover in July was Chrome, which is now up past 20 percent usage share. It gained a substantial 1.03 points, making big gains for two months in a row. Internet Explorer and Firefox both lost out, dropping 0.37 and 0.46 points respectively. Safari and Opera were also slightly down, falling by 0.12 and 0.06 points.
Safari has been on a downward trajectory for the better part of a year, as Android is making its presence felt on the Web. While Android has been consistently outselling iOS, this hasn’t been well reflected in Web data, suggesting perhaps a different usage pattern among Android buyers. But all those sales count for something. Apple’s browser is down 1.24 points. Android Browser is also down, falling 0.81 points, but Chrome is up a whopping 1.36 points, and the cross-platform Opera Mini is also up, gaining 0.8 points. Mobile Internet Explorer reached a new high, too, gaining 0.49 points in July.
The mobile operating system share (not graphed) is closely aligned with these browser numbers. iOS sits at 44.19 percent, compared to Android’s 44.62 percent, marking the firsts time (according to Net Market Share, the provider of the data we use) that Google’s operating system has passed Apple’s. Windows Phone is also at a new high, at 2.49 percent.
Internet Explorer 11’s growth seems to be well and truly at an end. In June it saw a negligible 0.02 point decline, but in July it was a little more pronounced, dropping 0.23 points. Internet Explorer 8, however, was up 0.31 points. While it does look as if every Internet Explorer 10 user who wants to upgrade to 11 has indeed made that switch, the decline likely represents a shift in Windows usage: Internet Explorer 8 is the version that’s preinstalled in Windows 7, and the newest version that’s available in the obsolete, unsupported, and insecure Windows XP…
… and as we can see, Windows 7 ticked upwards in July, and Windows XP refuses to disappear. More alarmingly, Windows 8.1 was very marginally down, dropping 0.05 points, and Windows 8.0 fell 0.01 points. Windows 7 was up 0.67 points, in contrast. Windows XP fell 0.49 points, so still a long way to go before that magnet for malware is off the Internet.
People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo, and possibly an unlimited number of other Internet properties.
A blog post published Tuesday by Google security engineer Adam Langley said the fraudulent transport layer security (TLS) certificates were issued by the National Informatics Centre (NIC) of India, an intermediate certificate authority that is trusted and overseen by India’s Controller of Certifying Authorities (CCA). The CCA, in turn, is trusted by the Microsoft Root Store, a library that IE and many other Windows apps rely on to process the TLS certificates that banks, e-mail providers, and other online services use to encrypt traffic and prove their authenticity. (Firefox, Thunderbird, and Chrome on Windows aren’t at risk. More about that later in this post.)
In an update posted Wednesday, Langley said the CCA confirmed that the bogus certificates were the result of a compromise of NIC’s certificate issuance process. The CCA reportedly said only four certificates were compromised. In a sign the CCA’s findings aren’t reliable, or at least are only tentative, Langley went on to say Google researchers are aware of still more counterfeit credentials stemming from the NIC breach.
“The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains,” he wrote Wednesday. “However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown.”
How Heartbleed transformed HTTPS security into the stuff of absurdist theater
Certificate revocation checking in browsers is “useless,” crypto guru warns.
The CCA has already revoked all certificates held by intermediate authority NIC. The revocation in theory means Windows users who encounter one of the fraudulently issued TLS certificates will be alerted through mechanisms including the certificate revocation list and online certificate status protocol, which are supposed to flag revoked credentials before they’re trusted by a browser or other app. In practice, and as Ars reported following the catastrophic Heartbleed vulnerability, the real-time revocation checks are trivial for attackers to bypass.
House of cards
The result is that IE and other apps that rely on Windows to know which certificates to trust have no reliable way of detecting the bogus credentials at the moment. Worse still, at this early stage in the investigation, there’s no way of knowing just how many certificates were fraudulently issued. Based on Langley’s account, there are at least five impostors (the four confirmed by CCA and at least one other not included in that list seen by Google), but it’s hard to imagine attackers with the control over a Windows-trusted authority would stop at just a handful. Absent some technical constraint, there’s every reason the attackers minted hundreds, thousands, or even more of the fake IDs.
It was precisely this scenario following the 2011 compromise of DigiNotar that prompted Microsoft to hardwire the revocation of the Dutch certificate authority directly into Windows. By the time Microsoft and other software makers responded, more than 300,000 Internet users, mostly located in and around Iran, were exposed to the certificates when accessing Google mail. Asked Wednesday afternoon if Microsoft planned to follow a similar path this time, company officials issued the following statement:
“We are aware of the mis-issued third-party certificates and we have not detected any of the certificates being issued against Microsoft domains. We are taking the necessary precautions to help ensure that our customers remain protected.”
Developers can try out new features of the next version of Internet Explorer using a test edition Microsoft has released for their use.
The Internet Explorer Developer Channel, which can be downloaded for Windows 8.1 and Windows 7 SP1, runs independently of the user’s copy of IE, allowing programmers to test the newest browser features without disrupting their current browser setup.
The Internet Explorer Developer Channel will offer an early version of IE while it is still being worked on by Microsoft programmers. Developers can preview features planned for the upcoming editions of the browser to help them better build Web applications and pages that use the new capabilities.
Microsoft also hopes that developers will offer feedback, so the company can better implement the pending features.
The developer version offers a sandbox-like testing environment so it does not interfere with the user’s IE browser profile. The browser does not run as quickly as the standard edition of IE and because it is a beta version, should not be used in production environments. The first Developer Channel release offers automated WebDriver testing, enhanced F12 developer tools, and Xbox controller support for web-based games.
With the test version, Microsoft is replicating the fast development environments used by other browser makers.
Mozilla offers nightly builds of the next version of the Firefox browser under development. Google also offers developer versions of its Chrome browser.
Microsoft plans to issue frequent updates to the test version of IE, announcing them through the DevChannel.Modern.IE developer resource site. Microsoft’s F12 Developer Tools were designed to help debug and optimize Web pages and Web applications.
Microsoft pushes out massive security update for Internet Explorer
Six down, six to go. Today is the Microsoft Patch Tuesday for June, and it comes with seven new security bulletins. The good news is that five of the seven are only rated as Important, but one of the two Critical security bulletins—the cumulative update for Internet Explorer—is huge.
In all, the seven security bulletins address a total of 66 specific vulnerabilities. The Cumulative Security Update for Internet Explorer (MS14-035) accounts for 59 of them—a record for a single Microsoft security bulletin.
Microsoft issued fixes for flaws in remote desktop, Lync Server, XML Core Services, Word, the TCP protocol, and the Microsoft Graphics Component that affect a range of products and services including versions of Windows and Office. The impact of a successful exploit ranges from denial of service, to information disclosure, to remote code execution, but the “star” of the show is Internet Explorer.
“Last month, IE saw a lot of activity, first with the out-of-band patch released on May 1, a point fix released as part of May’s Patch Tuesday, and a vulnerability that was publicly disclosed by the Zero-Day Initiative on May 21,” says Russ Ernst, director of product management for Lumension.
The cumulative update from Microsoft includes a fix for the vulnerability reported to ZDI. Thankfully, none of the vulnerabilities fixed by this update are actively under attack as far as we know. Even the two flaws that are already publicly disclosed are not facing any known active attacks.
That said, with 59 separate vulnerabilities in the most widely-used browser, it is an absolute certainty that malware developers will be working diligently to reverse-engineer the patches and craft exploits to target those flaws. It is absolutely imperative that you apply the patch for MS14-035 as soon as possible.
The other Critical security bulletin this month—MS14-036—addresses a couple vulnerabilities in Microsoft Graphics component that could enable remote code execution if successfully exploited. The list of affected applications is extensive, including all versions of Windows and Office.
Tyler Reguly, manager of security research for Tripwire, stresses that upgrading to more current operating systems and applications has perks from a security perspective. “MS14-034, which affects only Office 2007, is a reminder that Microsoft’s Security Development Lifecycle really does work,” he says. “It would be nice to see them shorten their support Windows, forcing consumers and enterprises to upgrade more frequently. This would remove older, more vulnerable software from the picture.”
Review the security bulletins from Microsoft and figure out which ones apply to you. I recommend you install all applicable updates to fix vulnerabilities before malware developers figure out how to exploit them. Start with the two Critical updates—MS14-035 and MS14-036—but then move as quickly as possible to implement the rest of the updates as well.
Aiming to provide more transparency in how it develops Internet Explorer, Microsoft has launched a website to help keep developers abreast of the latest changes and plans for the browser.
This site aims to put IE on similar ground with Mozilla Firefox or Google Chrome, which are open-source projects, so given the public nature of their development, details about pending technologies are known early on by third-party developers.
Historically speaking, Web developers have tended to view IE as the most closed of the browsers, given the relative paucity of information provided by Microsoft about the technologies and standards it would support. This could be problematic when a developer wanted to use a new Web standard but would hold back until it was known that IE would support that standard.
A heads-up for developers
While withholding details about new features in an upcoming software release has been the norm for software providers such as Microsoft, Web developers have preferred lots of details early on in the development process of their software, so they can write apps to use these new features as soon as possible, or know not to use a standard should it not be widely supported across different browsers.
“The current list of features ‘in development’ is not an exhaustive representation of what we will deliver in the next version, but an indication of what we currently have highest confidence in delivering,” wrote Sam George, Microsoft’s Internet Explorer partner group program manager, in a blog post announcing the launch.
The site lists 153 technologies in various stages of development. Some are being developed by Microsoft while others are being built by working groups within the World Wide Web Consortium (W3C) or other industry groups.
The site specifies which, if any, versions of IE support each technology, as well as which other browsers run the technology, such as Chrome and Firefox. It also shows the current development status for the technology, whether it is under development or already implemented.
By providing more information, Microsoft hopes that its IE engineers will get more feedback from developers about what should or shouldn’t be included in the browser.
Now that it is live, the site also reveals some of the features being added to IE. For instance, IE will support HTTP/2, the next generation Hypertext Transport Protocol under development.
Future versions of the browser will also support the Web Audio API (application programming interface) for playing audio on a Web page or application, and the Media Capture standard for ingesting photos and other user-generated content.
Microsoft IE Engineers will host a Twitter chat Thursday starting at 10 a.m. Pacific time to answer more questions about IE and the Status page, by way of the #AskIE hashtag and @IEDevChat handle.