nk497 writes "Criminals are taking advantage of unpatched holes in Internet Explorer to launch 'diskless' attacks on PCs visiting malicious sites. Security company FireEye uncovered the zero-day flaw on at least one breached U.S. site, describing the exploit as a 'classic drive-by download attack'. But FireEye also noted the malware doesn't write to disk and disappears on reboot — provided it hasn't already taken over your PC — making it trickier to detect, though easier to purge. '[This is] a technique not typically used by advanced persistent threat (APT) actors,' the company said. 'This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods.'"
Find out the latest on data centers with SlashDataCenter.
An anonymous reader writes "Google has announced it is discontinuing support for Internet Explorer 9 in Google Apps, including its Business, Education, and Government editions. Google says it has stopped all testing and engineering work related to IE9, given that IE11 was released on October 17 along with Windows 8.1. This means that IE9 users who access Gmail and other Google Apps services will be notified 'within the next few weeks' that they need to upgrade to a more modern browser. Google says this will either happen through an in-product notification message or an interstitial page."
New submitter bmurray7 writes "You might think that the country that has the fastest average home internet speeds would be a first adapter of modern browsers. Instead, as the Washington Post reports, a payment processing security standard forces most South Koreans to rely upon Internet Explorer for online shopping. Since the standard uses a unique encryption algorithm, an ActiveX control is required to complete online purchases. As a result, many internet users are in the habit of approving all AtivceX control prompts, potentially exposing them to malware."
An anonymous reader writes with this excerpt from The Register: "The Windows 8.1 rollout has hit more hurdles: the new version 11 of Internet Explorer that ships with the operating system does not render Google products well and is also making life difficult for users of Microsoft's own Outlook Web Access webmail product. The latter issue is well known: Microsoft popped out some advice about the fact that only the most basic interface to the webmail tool will work back in July. It seems not every sysadmin got the memo and implemented Redmond's preferred workarounds, but there are only scattered complaints out there, likely because few organisations have bothered implementing Windows 8.1 yet." Also from the article: "Numerous reports suggest that IE 11 users can once again enjoy access to all things Google if they un-tick the IE 11 option to 'Use Microsoft Compatibility lists.'" And here's Microsoft KB work around.
hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."
An anonymous reader writes "Microsoft is investigating a new remote code execution vulnerability in Internet Explorer and preparing a security update for all supported versions of its browser (IE6, IE7, IE8, IE9, IE10, and IE11). The company has issued a security advisory in the meantime because it has confirmed reports that the issue is being exploited in a 'limited number of targeted attacks' specifically directed at IE8 and IE9."
Hugh Pickens DOT Com writes "Ryan Vogt writes in the Mercury News that Shakespeare described death as 'the undiscovere'd country, from whose bourn no traveller returns.' Did you know there is a the miraculous way to resuscitate tabs sent to the 'undiscovere'd country,' a sort of Ctrl-Z for the entire Internet, that means 'no more called-out cusswords, no more wishing the back button had you covered when, aiming to click on a tab, you accidentally hit the little X on the tab's starboard.' For Macs: Command [plus] shift [plus] t reopens the last tab. For PCs: Ctrl [plus] Shift [plus] T. 'Try it right now. Close this tab and bring it back. I dare ya.' Melia Robinson's trick [described for Chrome] works in Firefox and Internet Explorer, too, so clumsy mousing won't send the the E*Trade tab you mistakenly closed all cued up to sell those 10,000 shares of stock or your long political post on your uncle's Facebook page on a one-way trip to the undiscovere'd country in those browsers, either." No guarantees on the stock trading.
chicksdaddy writes "Lucre from Microsoft's newly minted bug bounty program is lining the pockets of Google researchers. Two Google employees earned the distinction of receiving some of the first (official) monetary rewards under the company's bounty program. Fermín Serna, a researcher in Google's Mountain View, California headquarters, said he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft's Address Space Layout Randomization (or ASLR) technology. His bounty followed the first ever (officially) paid to a researcher by Microsoft: a bounty that went to Serna's colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But he said that any weakness in ASLR warranted attention. 'Mainly all security mitigations in place depend on ASLR. So bringing that one down, weakens the system a lot and makes it easy the exploitation of other vulnerabilities,' he said. As for his bounty, Serna (whose resume includes work for Microsoft on the MSRC Engineering team) said it was 'way less' than the maximum $11,000 bounty for a full, working exploit that bypasses all the Windows 8 mitigations (which includes ASLR as well as the Data Execution Prevention or DEP technology). 'But still nice!'"
rescendent writes sends this report about new features in Internet Explorer 11: "Microsoft released Windows Server ("Blue") to MSDN subscribers today, ahead of the BUILD conference later this week in San Francisco. The build provides us a number of clues as to what we will see in the official Windows 8.1 (Blue) preview. The server build number is 9341, the Windows 8.1 preview build will be: 6.3.9431.winmain_bluemp.130615-1214. IE11 scores 351/500 + 2 bonus point, and 25/25 for WebGL. Since this is a server build, the score may be a little higher than IE11 on Win 8.1, but this confirms WebGL for IE11. IE11 WebGL Conformance Test Results: 14,748 of 20,509 tests pass (71.9%). Many things seen in the Server 2012 R2 preview will also show up in the Windows 8.1 preview."
judgecorp writes "Microsoft has sponsored research that indicates that its Internet Explorer browser uses less power than the competition, Firefox and Google (there's no explanation of what causes the difference). However, the difference in power use is not really significant — it's about one Watt when browsing. Browsing for 20 hours at this rate, the IE user would save enough power to make a cup of tea, compared with Firefox and Chrome users. That Microsoft commissioned and published the report seems to indicate a certain desperation to Microsoft's IE marketing efforts."
SternisheFan writes with an excerpt from Ars Technica: "Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said. The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8. ... 'The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium,' CrowdStrike said. 'Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector.'"
First time accepted submitter carlypage3 writes "Benefits claimants in the UK are being forced to use Microsoft's now obsolete Windows XP and Internet Explorer 6 software. The Department of Work and Pensions (DWP) states that its online forms are not compatible with Internet Explorer 7, 8, 9 and 10, Safari, Google Chrome or Firefox. As if that wasn't unnerving enough, the Gov.UK website says that users cannot submit claims using Mac OS X or Linux operating systems, either." (Note: as we noted not long ago, it's not just the DWP that's stuck using IE6.)
mikejuk writes "The biggest problem with IE10 as far as modern web apps go is its lack of WebGL support. Now we have strong evidence that IE11 will support WebGL. A leaked build of Windows 'Blue,' aka Windows 8.1, also contained an early version of IE11. Web developer François Remy decided to see what it was hiding and found that there were WebGL APIs, but they were non-functional. Rafael Rivera, who writes the Within Windows blog, dug a little deeper and discovered the registry keys that have to be changed to enable WebGL support. Apparently the API works so well that you can take existing WebGL programs (with OpenGL shaders) and just run them. As the implementation also supports DirectX HLSL shaders, it seems reasonable to guess that the implementation maps OpenGL to DirectX, thus avoiding Microsoft having to endorse OpenGL use."
Billly Gates writes "With the new leaked videos and screenshots of Windows Blue released, IE 11 is also included. IE 10 just came out weeks ago for Windows 7 users and Microsoft is more determined than ever to prevent IE from becoming irrelevant as Firefox and Chrome scream past it by also including a faster release schedule. A few beta testers reported that IE 11 changed its user agent string from MSIE to IE with the 'like gecko' command included. Microsoft may be doing this to stop web developers stop feeding broken IE 6-8 code and refusing to serve HTML 5/CSS 3 whenever it detects MSIE in its user agent string. Unfortunately this will break many business apps that are tied to ancient and specific version of IE. Will this cause more hours of work for web developers? Or does IE10+ really act like Chrome or Firefox and this will finally end the hell of custom CSS tricks?"
Dystopian Rebel writes "A Stanford comp-sci student has found a serious bug in Chromium, Safari, Opera, and MSIE. Feross Aboukhadijeh has demonstrated that these browsers allow unbounded local storage. 'The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB). ... The current limits are: 2.5 MB per origin in Google Chrome, 5 MB per origin in Mozilla Firefox and Opera, 10 MB per origin in Internet Explorer. However, what if we get clever and make lots of subdomains like 1.filldisk.com, 2.filldisk.com, 3.filldisk.com, and so on? Should each subdomain get 5MB of space? The standard says no. ... However, Chrome, Safari, and IE currently do not implement any such "affiliated site" storage limit.' Aboukhadijeh has logged the bug with Chromium and Apple, but couldn't do so for MSIE because 'the page is broken" (see http://connect.microsoft.com/IE). Oops. Firefox's implementation of HTML5 local storage is not vulnerable to this exploit."
An anonymous reader writes "Internet Explorer 10 for Windows 7 is out. Windows 8 may suck but now you can at least enjoy (most of) that version's Internet Explorer. IE10 for Win7, originally not planned, has seen the light of day after all — four months after it debuted in Windows 8. It is available via Windows Update as an optional update; however, if you've already installed a pre-release version, it will be updated automatically as an 'important' update. IE10 on Win7 requires a platform update to bring some Windows 8 APIs to the more mature Windows, and it will not feature embedded Adobe Flash as the Windows 8 version does (use the plug-in version from Adobe, as usual, instead)."
An anonymous reader writes "It's not everyday that we get to hear about the potential downsides of using WebKit, but that's just what has happened as Dave Methvin, president of the jQuery foundation and a member of the core programming team that builds the widely used Web programming tool, lamented in a blog post yesterday. While most are happy to cheer for IE's demise, perhaps having three main browser engines is still a good thing. For those that work in the space, does the story ring true? Are we perhaps swearing at the wrong browser when implementing 'workarounds' for Firefox or IE?"
Billly Gates writes "Microsoft is advising users to stick with other browsers until Tuesday, when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled. There is no word if this patch is to protect IE from the 50+ Java exploits that were patched last week or the new Adobe Flash vulnerabilities. Microsoft has more information here. In semi-related news, IE 10 is almost done for Windows 7 and has a IE10 blocker available for corporations. No word on whether IE 10 will be included as part of the 57 updates."
DeviceGuru writes "Although IE remains the one of the top browsers on desktops, it's being trounced on tablets and smartphones by browsers based on WebKit, including Safari, the Android Browser, and Google Chrome. Faced with this uphill battle on handheld mobile devices, Microsoft MVP Bill Reiss has suggested that it might be time for Microsoft to throw in the towel on Trident and switch to WebKit (though Reiss later decided he was wrong). But although there are lots of points in favor of doing so, there are also some good reasons not to, including security and a need for healthy competition to avoid having mobile developers begin to target WebKit rather than standards."
An anonymous reader writes "Right on schedule, Microsoft on Thursday announced its usual advance notification for the upcoming Patch Tuesday. While the company is planning to release seven bulletins (two Critical and five Important) which address 12 vulnerabilities, there is one that is notably missing: a bulletin for the new IE vulnerability discovered on Saturday. For those who didn't see the news on the weekend, criminals started using a new IE security hole to attack Windows computers in targeted attacks. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are."