Linux vs Windows vs Mac

Microsoft is trying to protect Internet Explorer users by introducing a "privacy mode" for the next release of its Internet Explorer 8 web browser.

By clicking a button, users of IE8 will be able to limit how much information is recorded about where they go online and what they do.

Microsoft watchers have spotted two patent applications covering ways to manage the amount of information a browser logs. When introduced the privacy mode will match features found on other browsers.

Australian blogger Long Zheng has found two patent applications made by Microsoft on 30 July for ideas it calls "Cleartracks" and "Inprivate". The applications deal with methods of erasing data that browsing programs log, turning off features that record sites visited or notifying users of what sites are doing to log a visit. While many browsers already have menu options that let people alter security settings and clear history files it typically has to be done on a use-by-use basis.

Users may wish to turn on the privacy mode if they are planning a surprise party, buying presents or researching a medical condition and do not want others users of the same computer to find out.

Internet Explorer 8 is due to go on general release late in 2008 though early trial versions are already available.

Symantec warns Internet Explorer users about vulnerabilities to attacks targeting ActiveX. According to Symantec’s Sean Hittel, attackers have found a way to serve users the vulnerability prior to exploiting it. Targeted is a critical security flaw in the ActiveX Control for the Snapshot Viewer for Microsoft Access.

Microsoft has patched the vulnerability via a security bulletin issued in July 2008, but the update was deployed only on the systems with the software installed. Symantec claims that all Internet Explorer users are vulnerable.

Recently, we came across a rather unfortunate exploit case for the Access Snapshot Viewer ActiveX Vulnerability that took advantage of a property of the ActiveX system to exploit IE users who did not have the vulnerable control installed. How does one exploit a vulnerability that does not exist on a system you say? Sadly, attackers have found a way to install the vulnerable Access Snapshot Viewer ActiveX control through Internet Explorer prior to exploiting it," said Hittel.

Symantec indicated that the control is signed and as such its insulation is completely silent. In fact, in order to become vulnerable no user interaction is required. The attackers’ aim is to install the vulnerable control on the targeted computers, and then exploit the associated vulnerability.

Once this vulnerable control is installed on the victim’s computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected," Hittel stated.

Microsoft’s ActiveX technology is an important factor for attacks due to its ubiquity and distribution model. Symantec has warned that the silent ActiveX installations, part of the core of ActiveX operation, contribute to exposing end users to security risks.

Microsoft released the first update for Internet Explorer 8 through Windows Update. Terry McCoy, Program Manager Internet Explorer Security said that the Microsoft had started serving the Internet Explorer 8 Beta 1 June Security Update through Windows Update.

"If you are using IE8 Beta 1 for Developers, we encourage you to download this security update through Windows Update or the Microsoft Download Center today," said McCoy. The update was released on June 10, 2008, concomitantly with the company’s monthly patch cycle, and the IE Cumulative Security Update for June 2008. The release was pushed through the Download Center and up for grabs for the various versions of Windows which support Internet Explorer 8 Beta 1.

The links for the IE8 Beta 1 update via the Download Center as well as the associated Knowledge Base article are no longer functional. In this regard, IE Beta 1 end users that have not manually downloaded and integrated the update with the latest iteration of the Internet Explorer browser will have to turn to Windows Update for the refresh.

The IE8 Beta 1 June Security Update offers the bulletins designed to address security vulnerabilities including the Critical HTML Objects Memory Corruption flaw, and the Request Header Cross-Domain Information Disclosure hole rated as Important. Another modification aimed at web content developers and designers is also provided via a meta-tag set up to instruct IE8 to render a website’s content as its predecessor, Internet Explorer 7.

Microsoft readies patches for critical vulnerabilities affecting its Windows client and server operating systems, as well as components that ship by default with the platform.

The Redmond company is wrapping up no less than seven security bulletins for an unspecified number of vulnerabilities impacting even Windows Vista and Windows XP, updated with Service Pack 1 and respectively Service Pack 3. The seven security bulletins are scheduled for delivery on June 10, 2008, in accordance with the Redmond company’s monthly patch cycle.

"It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change. As part of our regularly scheduled bulletin release, we’re currently planning to release: three Microsoft Security Bulletins rated Critical, three Important, and one Moderate. As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated," revealed Bill Sisk, security response communications manager for Microsoft.

The three Critical security bulletins will impact both the 32-bit and 64-bit editions of Windows Vista RTM and SP1, Windows Server 2008, Windows Server 2003, Windows 2000 and Windows XP SP2 and SP3. The patches will address vulnerabilities which could allow for Remote Code Execution in the eventuality of successful exploits. According to Microsoft, the Bluetooth service is at risk, along with various versions of Internet Explorer, including 7, 6, 5.01 SP4, and DirectX 10, 9.08.1 and 7.0. Windows XP SP3 and Windows Vista SP1 contain all the high-risk security holes which will be patched by the Critical bulletin on June 10.

"Finally, we are planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS)," Sisk added.

SOURCE: softpedia.com

Microsoft’s monthly security update next Tuesday will see seven fixes including a critical update for Internet Explorer.

There are three critical updates, three important updates and one classed as moderate.

The three critical updates fix holes in Windows, and one in Internet Explorer, which all allow remote code execution using Bluetooth, IE and DirectX.

The three important updates all relate to Windows and remote code execution as does the single moderate update.

The company is also releasing an updated version of its Malicious Software Removal Tool.

More info from Microsoft here. ®

© The Register.