From Network World (Ellen Messmer)
Microsoft’s Internet Explorer 8 rated tops among five browsers tested by NSS Labs for effectiveness in protecting against malware and phishing attacks — though NSS Labs acknowledges Microsoft paid for the tests.
Nevertheless, the test process, which lasted over a two-week period in July at the NSS Labs in Austin, evaluated the browsers based on access to live Internet sites and in theory could be duplicated elsewhere. Apple Safari 4, Google Chrome 2, Mozilla Firefox 3, and Opera 10 beta were evaluated as being behind Microsoft IE 8 when it comes to browser protection against phishing and malware, mainly because Microsoft was deemed more speedy and comprehensive in delivering updates about known phishing and malware to the user’s desktop browser. Read the full story [thestandard.com] Here’s a link to the study and results [pdf from nsslabs.com]
Browsing Tag: Microsoft
From Network World (Ellen Messmer)
Dennis Fisher talks with Microsoft’s Adam Shostack about the Privacy Enhancing Technologies Symposium, the definition of privacy in today’s world and the role of technology in helping to enhance and protect that privacy.
By Eric Schultze
Microsoft has released nine bulletins today, five of them Critical, four of them Important. The bulletins cover a gamut of affected products – almost everything in your enterprise will need to be patched today with the exception of Internet Explorer. No IE patches this month! The majority of bulletin releases these days relate to client-side vulnerabilities – visit an evil website, open an evil document, or read an evil email and you’ll get hacked. These vulns are of greatest concern on the desktop where end users are filling time between Mafia Wars power-ups and Facebook updates by visiting websites that may be hosting content of questionable repute. This month, there are five bulletins addressing these types of issues.
[img_assist|nid=3727|title=|desc=|link=none|align=right|width=100|height=100]Threatpost editors Ryan Naraine and Dennis Fisher discuss the DDoS
attacks against Twitter, Facebook and LiveJournal and delve into
Apple’s Mac OS X patch and Microsoft’s Patch Tuesday plans.
Ryan Smith, one of the researchers who found the bug in the Microsoft MsVidCtl DLL that the vendor is rushing to patch this week, has posted a short video demonstration of a technique that bypasses the stop-gap solution of preventing the vulnerable ActiveX control from loading.
From Washington Post (Brian Krebs)
Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month. Read the full story [washingtonpost.com] See more details at Halvar Flake’s blog [blogspot.com]
From CNet News (Josh Lowensohn)
Microsoft is bringing out the big guns to combat instant message spam and phishing attacks done to users of its Live Messenger network. The Redmond, Wash.-based software giant filed a civil lawsuit Thursday in King County Superior Court in Seattle against Funmobile, Mobilefunster, and several individuals, who Microsoft says is responsible for the intentional misuse of the service to gain the personal information of its users.
In the suit (which is embedded below), Microsoft cites a multitude of attacks including IMs that appear to be coming from users they know, as well as phishing attacks that mimic the look and feel of an outside service, or an official Microsoft support page. Read the full story [cnet.com] Also see Microsoft’s explanation [microsoft.com]
Attackers have begun using the unpatched vulnerability in Microsoft’s Office Web Components in SQL injection attacks. The vulnerability, which only became public this week, affects millions of users running a number of different versions of Windows, Office and Internet Explorer. The SANS Internet Storm Center said it is receiving reports of SQL injection attacks exploiting the vulnerability and using obfuscated code.
By Eric Schultze
Microsoft released six security bulletins today — three rated Critical and three rated Important. Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.
Today’s release is important because patches were released for two recent 0-day attacks – a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability. Both vulnerabilities are reported as being actively exploited on the Internet.
Microsoft has expended a massive amount of time, energy and money in the last few years to improve both the quality of its software and the speed and efficiency of its security response process. It has succeeded in large part on both counts, especially on the security and reliability of its products. But, as the company’s response to the privately disclosed MsVidCtl ActiveX vulnerability in Internet Explorer shows, Microsoft still has some ground to cover on the issue of timely response.