TechSpot - PC Technology News and Analysis

Microsoft has just issued an out-of-band security update to fix a critical vulnerability in its Internet Explorer web browser that is being actively exploited. The flaw, which affects all versions from IE 5 to IE 8 Beta 2, lies in the browser’s data binding function and is being actively exploited since last week through specially-crafted web pages.

Although attacks have reportedly been limited, security experts warned that if carried out successfully, it could give an attacker the same user rights as the local user and ultimately the ability gain access to sensitive data. Microsoft is urging users of IE to download and apply the patch as soon as possible via the Windows Update mechanism. This marks the second time in only two months that the company has released a security patch outside of its monthly cycle, following one in October which addressed a dangerous remote procedure call (RPC) error that could result in remote code execution.

Swedish security firm Lavasoft may be best known for its popular anti-spyware software Ad-Aware, but the company is now venturing into new territory with an antivirus program designed to appeal the growing market of people who want standalone products versus combination tools or security suites.

Based on technology from Avira, the new Lavasoft Anti-Virus Helix is said to deliver comprehensive protection and high performance with low impact on system resources. It offers full system scanning and on-the-fly detection, as well as protection from email viruses and other web threats such as worms, Trojans, rootkits, bots, and more.

The product is too new to have certification from the major independent testing labs, and in-depth reviews have yet to surface online, but the underlying Avira technology is generally well-regarded. Anti-Virus Helix offers a 30-day trial period that provides full updates for the product, with a one-year license going for $23.95. All in all, the new program appears to have good chances of becoming a users’ favorite given the ease of use and extensive protection it offers – then again, free anti-virus suites are aplenty.

The security hole in Internet Explorer that went unpatched earlier this week is apparently more serious than originally believed, with Microsoft now saying the flaw affects all versions of the browser. In a revised security advisory the company spelled out the root of the problem, saying that the bug is in IE's data binding functionality and, contrary to earlier reports by independent security researchers, not in the HTML rendering code.

Microsoft is trying to get to the bottom of the issue but, in the meanwhile, is offered users some tips on how to prevent the zero-day attacks such as making sure their Internet security settings are set to “high” so that IE will prompt before running any ActiveX controls or active scripting. Additionally, the company is recommending users to disable active scripting altogether and enable Data Execution Prevention. Further details on how to stay safe are available here.

Intel and Ericsson are teaming up to protect lost or stolen laptops with remote kill switches that render them useless via SMS. Specifically, the two companies are collaborating to make Ericsson's mobile broadband modules – which add built-in support for HSPA to laptops – interoperable with Intel's Anti-Theft PC Protection Technology part of the Intel Centrino 2 with vPro package.

This is similar to what Lenovo announced late last month – sending a text message will lock down the machine by blocking the boot process and presumably trigger a self encrypting drive to protect the computer’s data, with an unlock code bringing the system back to life again. However, Ericsson is making it much more useful by adding the ability to track the stolen machine through GPS. The companies say the first laptops fitted with the technology could start appearing in the middle of 2009.

Microsoft delivered its biggest patch release in five years yesterday, but this has been overshadowed by a newly discovered zero day hole in Internet Explorer that went unpatched. The exploit, first seen in China and other parts of Asia, targets Internet Explorer 7 on Windows XP and 2003 using malformed XML tags to take control of the system.

Specifically, the exploit creates an XML tag, waits 6 seconds in an attempt to thwart antivirus engines, then crashes the browser and runs malicious code when it is restarted. According to Symantec, the attack still requires some JavaScript in order to achieve code execution, so blocking JavaScript for un-trusted websites could help mitigate the risk.

Additionally, the zero day exploit has been joined by another one involving a memory problem in Microsoft SQL Server 2000 and a third vulnerability that appears to affect the WordPad Text Converter for Word 97. Microsoft says it is investigating the matter.

Microsoft has delivered a monster Patch Tuesday release today with fixes for a number of vulnerabilities – covered in eight security bulletins – affecting all versions of Windows and other applications as well. Of the eight security bulletins six carry a critical rating, meaning they could be used to launch remote code execution attacks with minimal user action.

Two of them apply to Windows, with one for all versions of the OS, and the second just for Windows Vista and Server 2008. A third bulleting addresses a critical flaw in Internet Explorer 6 and 7, while the remaining three relate to Microsoft Office. The two security bulleting rated as important address flaws in Office SharePoint Server and Windows Media Player – with the latter also allowing remote execution of code but rated only as “important” because the user needs administrative rights for the exploit to be really nasty. As always, the advice is to update as soon as possible through Windows Update.

Another virus that targets a particular website has surfaced, with the recently-discovered “Koobface” virus trying to wreak havoc on Facebook users. While not completely new, this new iteration has found a way to extend its life. The virus, similar to others in recent history that have targeted specific social networking sites, attempts to spread itself by sending messages to the friends of someone who has already become infected. Naturally, the messages contain links to malicious content, in this case a copy of the virus.

Ultimately, once infected, people are unknowingly led to false websites, with the virus redirecting popular sites like Google, Yahoo and MSN. One of the reasons that social networking viruses seem to be successful is that people tend to trust the sites more, particularly when you are dealing with a site like Facebook that blocks outsiders from sending messages to begin with.

Most anti-virus vendors and security experts believe that as time goes on, viruses and malware will only become more targeted, which could complicate security matters in the future. The smaller the group a virus targets, the less chance an anti-virus vendor will be able to match a signature in time to protect them.

Upset over some recent claims that discredited their email service, Google has stepped forward to try and quell rumors. According to the search giant, some recent domain hijackings that were blamed on security vulnerabilities in Gmail were nothing more than plain old phishing attacks and not the fault of any security flaw within Gmail itself.

More than one domain was taken over after the owners were tricked into giving their Gmail usernames and passwords, which was later used to change settings in their respective GoDaddy registrar accounts. It seems easy to side with Google in this case, as a successful phishing attempt seems a lot more likely than a flaw as dangerous as the one rumored.

Stolen and misplaced laptops can leave companies susceptible to costly data breaches, even more so if a notebook goes missing while the operating system is fully loaded, but Lenovo believes it has come up with a solution for that problem. The company, in conjunction with Phoenix Technologies, will begin adding a feature to Lenovo notebooks that allows them to be “remotely killed” via a text message sent from a cell phone.

The new Constant Secure Remote Disable feature will come embedded within certain 3G-enabled ThinkPads’ BIOS and can be activated with a simple text message command such as “Turn off PC” from a specified cell phone number. The lockdown will happen immediately if the notebook is turned on or the next time the system signs on to a cellular network and from there the self-encrypting hard drive should take over to protect the computer’s data.

To reactivate the disabled PC, a user needs to enter a preset pass code after the notebook is restarted. The service will be available in the first quarter of 2009 on select ThinkPad notebooks at no additional charge and will be supported worldwide wherever cellular phone systems support text message transmission. If the computer is out of cellular range, though, you’re out of luck.

Even though Windows is the biggest target for malicious coders, we can't forget that other platforms are vulnerable too. Mac OS X has been targeted several times in the present year by dangerous Trojans, and lately a particularly nasty one has reared its head. The newly discovered Trojan, a variant of an older one, attempts to infect machines and may also download additional files in the future. Currently it only downloads one particular piece of nasty code – though it's speculated a similar tactic could be used in the future to download any number of infections.

This Trojan, dubbed OSX.RSPlug.D, is considered more dangerous than another one discovered this week, OSX.Lamzev.A, as the former does not require local access to the machine. It appears, in a tactic similar to many Windows viruses, as a “codec” needed to view video files. Apple has not yet issued a comment on this, though one question many wish they would answer is whether they will take the Microsoft route to anti-virus protection, not providing it by default or offering it as a stock option with the OS.

Security vendor AVG is doing some damage control today. Following an embarrassing slip-up in which their antivirus software misidentified a key Windows system file as malware, crippling non-English versions of XP, the company has announced it will offer a free license or a license extension to those affected by the faulty update.

Essentially, the offer covers a free one-year AVG 8.0 license for affected users of commercial AVG 7.5 products or license extension to those already running the latest version. In addition, affected users of AVG Free products will get a free one-year license for AVG Anti-Virus 8.0. Interested? The company says it will contact affected customers beginning November 24 and advise them on how to obtain the free year of service.

AVG isn't doing well with the false positives these days. Just a few short days after crippling non-english versions of Windows XP with a botched update, the company now has another problem. The latest update of their suite is now flagging the nearly ubiquitous Adobe Flash as a malicious trojan.

The suite of course gives people the choice about whether or not to remove Flash, and at least in this most recent instance it is not a mission-critical file that disables the system that has been misidentified. Still, false positives are something that not only prevent people from trusting their A/V suite, but hinder people's ability to properly react to a problem when a real one exists.

AVG recently identified a software firewall suite, ZoneAlarm, as malicious as well, putting some serious doubts into the company's QA. The company has made a public statement that they are implementing systems to prevent these false positives from continuing to pop up.

Microsoft characteristically releases security updates and fixes on the second Tuesday of every month, an event that has come to be known as Patch Tuesday, but on rare occasions the company will issue an out-of-schedule update to address vulnerabilities that require immediate attention. Such is the case today, with the company rushing out an emergency security patch for Windows users.

Microsoft offered few details on why it was releasing the software update, which is rated “critical” for users of Windows 2000, XP, and Server 2003 but carries the less severe rating of “important” for users of Windows Server 2008 and Windows Vista. It did say, however, that the vulnerability could result in remote code execution, enabling an attacker to take control of a target’s computer.

The update will be released today at 10.00am Pacific Time, with a restart required. As a side note, it is being reported that the last such emergency patch issued by Microsoft was in April 2007, when the company fixed a vulnerability with .ani cursor files that was being exploited by malicious code hosted on hundreds of websites.

It didn’t take long for an exploit to emerge in QuickTime version 7.5.5. Merely a week after Apple updated the media player to plug nine security bugs, a proof-of-concept exploit for a zero-day vulnerability has been posted, which can be used to crash iTunes, a web browser, or any other program that uses the QuickTime plug-in.

The exploit, which was published on the milw0rm.com site earlier this week, takes advantage of a flaw in QuickTime that causes a crash when an unusually-long parameter is passed along with a movie file. While not actually demonstrated, it is also claimed that remote code execution may be possible “with no user interaction, other than an attempt to view a file.”

At the moment, there is no recommended workaround or patch available for the code exploit, so users are (as always) encouraged to safely browse the web and avoid opening QuickTime files from unknown sources.

Today Google announced their progress and mission plan for taking care of the current and future security issues with their new Chrome browser. In particular, they revealed some details about the two biggest known flaws. Those have been fixed, along with some other minor issues.

Google also has opened a Chrome Releases blog, which they are using to openly document their progress on the browser. Unlike the often easily-readable release notes you normally expect from a browser like Firefox, Google wasn't all that revealing on what exactly it was they are doing with updates. With this, that seems to have changed.

The browser is facing criticism due to lack of site compatibility and other issues, but I think it is far too early after release to really judge what sort of browser it will be.

Microsoft is backtracking on an update released earlier this month, after they discovered that a patch was released with a severe flaw. Users of Office 2003 had the option of installing a patch to fix several security vulnerabilities, and one of the patches in particular, MS08-051, was incomplete. It didn't encompass the entire set of vulnerabilities, letting the system (and user) believe they were up to date when in fact they weren't.

Microsoft has since rolled back the patch, and reminded users that people making use of Windows Update didn't have to worry about anything – only manual downloads were affected. For those that did install the security update manually, via the downloadable hotfix, the patch must be first uninstalled and then reapplied with the correct version.

Companies who specialize in Linux, particularly Linux servers, often tout the increased reliability of the platform as a reason for choosing it over other options. Thus, when a big-name Linux vendor has their own servers compromised, it's a very interesting event. Recently, Red Hat announced that some of its servers had been compromised by outside attackers. The attack, Red Hat says, ended up resulting in several software packages being signed, which could result in downstream users becoming compromised as well if they installed the tainted software.

Red Hat has already issued a tool to detect if a system has been compromised, and claims that their RHN platform itself was not compromised, nor was any software development, such as source code for Fedora or other works.

According to Red Hat, internal security measures they had in place prevented the intrusion from causing widespread damage. It is still obviously a big red flag to many.

There is a new type of malicious advertising doing the rounds, one that targets users of Windows, Mac, and Linux systems running IE, Firefox, and Safari. The attack, which was made public via a number of discussion boards, exploits a feature in Flash to put a plain-text string of characters on a user’s clipboard.

While the feature alone appears to pose no security risk at all, hackers are using it in tandem with Flash-based banner ads on legitimate sites to persistently overwrite the clipboard with a malicious URL – effectively hijacking the clipboard until the browser window is closed. This of course can lead some people to unknowingly spam the link, which points to a fake anti-virus product for sale.

Adobe says it is investigating potential solutions to this issue and has promised to update customers as soon as more information is available.

Microsoft is seeking to take a more responsible role in the realm of PC security, and as such is launching a program to assist third party Windows software developers in locating and fixing security bugs. The Microsoft Vulnerability Research team isn't making a whole lot of new waves, as Microsoft already does to an extent help external software vendors in fixing security flaws, but brings the entire scope of that work into one name.

The basic idea is to report vulnerabilities as they are discovered and then, if needed, help develop a fix for them. This is almost a mirror image of instances in the past where Microsoft has delayed a fix for a critical security flaw and a third party has created a patch for it in the interim.

Though Microsoft is willing to assist other developers, they made it clear that the Windows Update service is, and always will be, exclusive to Microsoft products (excluding driver updates) and they will not be working on any system in which all installed software can be periodically checked for updates. This is an advantage that operating systems like Mac OS X have, in which larger ranges of software can be updated all at once.

IT system administrators will be mighty busy this month, with Microsoft announcing it is prepping 12 security fixes for its next Patch Tuesday release – seven of which are labeled as “critical” and have the potential to allow remote code execution.

Four of the seven critical updates address vulnerabilities in Access, Excel and PowerPoint, while the remaining three target Windows, Internet Explorer and Media Player 11. The five less serious “important” flaws cover vulnerabilities in Windows, Outlook Express and Windows Messenger.

As usual, Microsoft divulged little information about each update, limiting the disclosure to naming the affected software and describing only in general terms the nature of the bugs. Starting October, however, the company will take a major shift in its security strategy by giving security vendors earlier access to technical details of its monthly security patches for them to get ahead of attackers.