New IE Zero-Day vulnerability discovered.

Published September 18, 2012

Security researcher Eric Romang has discovered a new zero-day vulnerability in Internet Explorer, which he claims will affect fully patched versions of Microsoft Internet Explorer 7, 8 and 9.

The exploits, developed over the weekend for the Metasploit exploit toolkit, have been linked to Nitro, the same group of hackers from China who were exploiting two Java zero-days in late August. “Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers such as Chrome or Firefox until a security update becomes available,” a post on the Metasploit community blog said. “The exploit had already been used by malicious attackers in the wild before it was published in Metasploit.”

Microsoft is [strongly] advising all Windows users to install a free security software to protect their PCs from a newly discovered vulnerability in its Internet Explorer browser. The free security tool, called the Enhanced Mitigation Experience Toolkit (EMET), will prevent hackers from gaining access to Windows-based systems and is currently available from Microsoft here .

Disable Java…NOW!!!

Published September 04, 2012

Unfortunately, it appears that Java is once again unsafe. Over the weekend, the good folks over at security firm FireEye spotted a new attack that exploits a vulnerability in Java to install a Trojan named Poison Ivy, which communicates with C&C servers in China and Singapore.

Since there’s no fix in sight, it is highly recommended that users turn off/disable Java in their browsers. This might keep certain websites from operating 100% but, it will help prevent possible “drive-by downloads”. What is a “drive-by download” you might ask? Well, in a drive-by download, your computer becomes infected just by visiting a website which contains malicious code. Cybercriminals search the Internet looking for vulnerable web servers that can be hacked, and when one is found, they can then inject their malicious code onto the web pages. If your operating system or one of your applications is un-patched, a malicious program is downloaded to your computer automatically when you access the infected web page.

For instructions on how to disable Java in Google Chrome, go here, for Firefox, go here, for Safari, here and for disabling it in Internet Explorer, click here. You might be tempted to “downgrade” to an earlier version of Java since these new exploits only target version 7 but, don’t do it! The previous versions of Java also have security flaws. Don’t waste time downgrading to an earlier version since it will be equally insecure.

If you absolutely MUST use a Java-enabled browser for mission-critical productivity apps, Brian Krebs over at Krebs On Security suggests users switch to a secondary browser with Java installed, using a Java-less browser for normal browsing and only occasionally switching to a Java-enabled one. This isn’t a bullet proof plan but, it’s safer than surfing the Web with a browser where Java is fully enabled. Good news if you use Google Chrome, you will get a warning every time Java wants to execute and you can decide for yourself whether or not to allow it.