Microsoft released a Fix It temporary mitigation for a zero-day vulnerability in Internet Explorer 8 that was used in a watering hole attack against the U.S. Department of Labor’s website.
Microsoft issued an advisory warning that an IE 8 zero-day exploit was used to attack the US Department of Labor website and nine others, including government and non-profit organizations in Europe.
The good news is that Microsoft’s Internet
Explorer 8 browser offers a new set of filters designed to prevent some
cross-site scripting (XSS) attacks. The bad news is that those same
filters could be used to enable XSS attacks. That was the gist of a presentation offered by security
researchers David Lindsay and Eduardo Vela Nava at the Black Hat Europe
conference in Barcelona. Read the full article. [Dark Reading]
The latest version of Microsoft’s Internet Explorer browser contains
a bug that can enable serious security attacks against websites that
are otherwise safe. The flaw in IE 8 can be exploited to introduce XSS, or cross-site
scripting, errors on webpages that are otherwise safe. Read the full article. [The Register]
From Network World (Ellen Messmer)
Microsoft’s Internet Explorer 8 rated tops among five browsers tested by NSS Labs for effectiveness in protecting against malware and phishing attacks — though NSS Labs acknowledges Microsoft paid for the tests.
Nevertheless, the test process, which lasted over a two-week period in July at the NSS Labs in Austin, evaluated the browsers based on access to live Internet sites and in theory could be duplicated elsewhere. Apple Safari 4, Google Chrome 2, Mozilla Firefox 3, and Opera 10 beta were evaluated as being behind Microsoft IE 8 when it comes to browser protection against phishing and malware, mainly because Microsoft was deemed more speedy and comprehensive in delivering updates about known phishing and malware to the user’s desktop browser. Read the full story [thestandard.com] Here’s a link to the study and results [pdf from nsslabs.com]
The automatic update is one of the more useful tools ever invented by software developers. Click a couple of buttons and you never have to worry about checking for new security updates again–it happens automagically! But it’s also one of the more frustrating and intrusive mechanisms we’ve seen in recent years, thanks to the tendency of vendors to abuse its power and smush in a bunch of extra applications and add-ons that users may have little use or desire for.
From DarkReading (Kelly Jackson Higgins)
Internet Explorer 7 and 8’s default security settings can be unsafe for internal, intranet-based Web applications, according to newly published research.
Cesar Cerrudo, founder and CEO of Argennis, a security consulting firm in Argentina, has demonstrated that IE’s default features for intranet “zones” can be abused to wage attacks on internal Web applications both from the outside and from within the organization. Cerrudo has released his findings [argeniss.com, PDF], which show how default settings can be used both to detect and exploit vulnerabilities in intranet applications. Read the full story [darkreading.com]
By Robert Westervelt, SearchSecurity.com
Microsoft has officially released Internet Explorer 8 today [microsoft.com] with a number of new security features to improve privacy and protect against phishing and cross-site-scripting attacks. From the article:
