Security Advisor

IE 8 Gets Pwned in IT Security Contest

• By Jabulani Leffall
• 03/14/2011

Microsoft got pwned. Last week, researcher Stephen Fewer of Harmony Security used three exploits to hack IE 8 at the Pwn2Own contest, which was part of the CanSecWest conference.

What is relatively unexpected as this is a lingering issue of the MHTML/IE vulnerability that has caused Microsoft to issue new guidance in an updated security advisory.

"Truthfully, it's disturbing that a known critical vulnerability has been left unpatched for such an extended period of time," wrote Chris Greamo, vice president of research for Invincea Labs to me when it was discovered last week that Redmond wasn't going to patch the MHTML flaw despite the fact it first surfaced in January.

Despite the absence of a patch, Redmond is saying in this latest advisory that users and administrators who have applied the automated "fix it," from Microsoft Knowledge Base Article 2501696 or enabled the "MHTML protocol lockdown" workaround in the latest wouldn't be "exposed to this vulnerability."

Microsoft Security Response spokesperson Jerry Bryant says that the bugs that helped pwn IE 8 are nipped in the release candidate version of IE 9 and that there was a patch coming for IE 8. With the shelling that IE is taking, it would be interesting to see if these developmentss warrant an out-of-band patch for the MHTML issue at the very least.

But I'm going to guess that Microsoft will wait until April on this one.

Flash Bug Confirmed in Excel Sessions
Adobe Systems Inc., whose applications have increasingly become a favorite target of client-side intruders, said in its latest security advisory that a zero-day bug for its Adobe Flash application is on the loose.

Hackers are apparently exploiting the Flash files within an Excel document that hits a user's e-mail. If the user is careless or is tricked into opening the file in Excel, it's hammer time for the OS.

Adobe didn't say "hammer time," but they probably should have, as the implications were there with this statement: "The vulnerability could cause a crash and potentially allow an attacker to take control of the affected system."

While Adobe isn't aware of new attacks for its Reader or Acrobat, PDF viewer and creator apps, the year is still young and those have been popular attack vectors since this time in 2010.

Adobe promises to patch Flash, Reader and Acrobat in the next week.

Japan Earthquake Shakes Loose Hackers, Hoaxes
Straight from the "oh, come on now," "have you no shame?" and "way too soon" news files is word that cybercriminals are taking advantage of the Japanese earthquake, tsunami disaster, and the fear of nuclear meltdown in grand hacker style.

Within a mere two days of the disaster, Symantec researchers observed more than 50 domains with the names of either "Japan tsunami" or "Japan earthquake" that are likely being prepped for Internet phishing, spoofing or fraud spam exercises. In the case of the fraud spam, spammers are asking for financial assistance for victims in the way a deposed African dictator, Hatian earthquake victim or Libyan exile would all say via unsolicited e-mail that your bank account is the key to their survival and salvation.

Meanwhile Sophos, which discussed the Fukushima Daiichi nuclear power plant meltdown in Japan in the wake of the natural disaster, said spammers sent out a hoax SMS mobile text message claiming that radiation may spread to the Philippines. In that case, the hoax was so widespread that the Philippine Department of Science and Technology had to issue a public statement to calm the ruckus.

"The advice circulating that people should stay indoors and to wear raincoats if they go outdoors has no basis and did not come from DOST or the National Disaster Risk Reduction Management Center."

Question for spammers and cyber crooks: Really?