Microsoft’s new flagship operating system Windows 8 was released at the end of October, but with its release, so has a new zero-day. In a recent article in SC Magazine, the article describes how the French security firm Vupen is offering the recently discovered zero-day for sale. In fact, a mere $50,000.00 could allow you to obtain the vulnerability that has been described as affecting the new Internet Explorer 10 browser.
According to the article:
Last week, Vupen CEO Chaouki Bekrar tweeted that “various” IE10 and Windows 8 vulnerabilities had been combined to circumvent exploit mitigation safeguards in Windows 8, which was released to the public on Oct. 26. The exploit was reportedly not disclosed to Microsoft, nor was its price made public. Vupen did reveal that the zero-day could allow a particularly skilled hacker to bypass embedded security measures, which include high-entropy address space layout randomization (HiASLR), anti-return oriented programming (AntiROP), data execution prevention (DEP) and protected-mode sandbox.
According to the article, Vupen only sells the vulnerability information to governments and business, but this is very concerning. The fact that they have not shared it with Microsoft, this could become a way to hold applications, business and governments hostage. Secure coding needs to be the priority of developers and the time to market needs to be properly married to insuring limited vulnerabilities.
Well it is another day and another set of vulnerabilities within Java. It appears that Java is the vulnerability gift that keeps on giving. According to an article published by SC Magazine on September 25:
Polish vulnerability research firm Security Explorations, which has discovered a slew of Java bugs this year, said the latest flaw impacts Java SE versions 5, 6 and 7 running in all major web browsers – Firefox, Google Chrome, Internet Explorer, Opera and Safari.
Security Explorations notified Oracle of the vulnerability on Tuesday and also posted a message on BugTraq, a mailing list archive, the same day. Researchers are not aware of any attacks actively exploiting the flaw.
Adam Gowdiak, founder and CEO of Security Explorations, said in an email Tuesday to SCMagazine.com that the firm discovered the bug – which allows machines to be compromised through a complete Java security sandbox bypass – late last week
“A malicious Java applet or application exploiting [this bug] could run unrestricted in the context of a target Java process. such as a web browser application,” Gowdiak said. “An attacker could then install programs, view, change or delete data with the privileges of a logged-on user.”
With Java being so prevalent in Internet and enterprise back-end systems, such as Oracle, this continues to be a serious issue. It may be time to consider another development platform or get Oracle to get Java back on track…
Microsoft has released Microsoft Security Advisory (2757760) regarding the zero-day vulnerability within IE. According to the advisory:
Microsoft is investigating public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability.
The advisory does not provide a fix, but continues to point users to “Microsoft Security Best Practice.” It may be worthwhile for users to either start using Chrome or Firefox or upgrade from WIndows XP and Vista. It is still to early to know if it will be worth the upgrade to Windows 8…
A new zero-day exploit has been identified for Internet Explorer in the wild. There is still no CVE numbering or data, but the vulnerability is associated with a flaw related to the manipulation of the img arrays that could allow a context dependent attacker to execute arbitrary code.
In an advisory posted August 16 Microsoft Security Advisory (2661254) , Microsoft warns that systems using RSA certificates less than 1024 will no longer be supported. While this is almost a month old, the Official Microsoft TechNet Blog on September 6 is re-iterating the issue and alert for businesses to update the keys being used in advance of the October Windows Update push.
The blog states the following:
“As many of you are aware, Security Advisory 2661254 was initially made available in August via the Download Center and the Microsoft Update Catalog, with distribution through Windows Update planned for October 2012. To help ensure that all customers are prepared for the update, we are reiterating those announcements before releasing the requirement change with our monthly bulletins on Oct. 9. Though many have already moved away from such certificates, customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories – in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they “still work” and have not had any cause for review for some time.”
Microsoft is trying to sway those that do not patch or that are slow to patch that their systems may soon break as a result of this change. What is important to note, is that this will also impact end users as well. Which means that business could get calls from customers unable to access websites that have not updated their certificates.